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Abstract — Definitions  of  election  verifiability  in  the  compu¬ 
tational  model  of  cryptography  are  proposed.  The  definitions 
formalize  notions  of  voters  verifying  their  own  votes,  auditors 
verifying  the  tally  of  votes,  and  auditors  verifying  that  only 
eligible  voters  vote.  The  Helios  (Adida  et  al.,  2009)  and  JCJ 
(Juels  et  al.,  2010)  election  schemes  are  analyzed  using  these 
definitions.  Helios  4.0  satisfies  the  definitions,  but  Helios  2.0  does 
not  because  of  previously  known  attacks.  JCJ  does  not  satisfy 
the  definitions  because  of  a  trust  assumption  it  makes,  but  it 
does  satisfy  a  weakened  definition.  Two  previous  definitions  of 
verifiability  (Juels  et  al.,  2010;  Cortier  et  al.,  2014)  are  shown  to 
permit  election  schemes  vulnerable  to  attacks,  whereas  the  new 
definitions  prohibit  those  schemes. 


I.  Introduction 

Electronic  voting  systems  that  have  been  deployed  in  real- 
world,  large-scale  public  elections  place  extensive  trust  in  soft¬ 
ware  and  hardware.  Unfortunately,  instead  of  being  trustwor¬ 
thy,  many  systems  are  vulnerable  to  attacks  that  could  bring 
election  outcomes  into  disrepute  (22),  (58),  (76),  (HO).  So 
relying  solely  on  tmst  in  voting  systems  is  unwise;  verification 
of  election  outcomes  is  essential]]] 

Election  verifiability  enables  voters  and  auditors  to  ascertain 
the  correctness  of  election  outcomes,  regardless  of  whether 
the  software  and  hardware  of  the  voting  system  are  trustwor¬ 
thy  (T),  @,  (31),  (77),  1100).  Rremer  et  al.  |85|  decompose 
election  verifiability  into  three  aspects)]] 

•  Individual  verifiability:  voters  can  check  that  their  own 
ballots  are  recorded. 

•  Universal  verifiability:  anyone  can  check  that  the  tally  of 
recorded  ballots  is  computed  properly. 

•  Eligibility  verifiability:  anyone  can  check  that  each  tallied 
vote  was  cast  by  an  authorized  voter. 

We  propose  new  definitions  of  these  three  aspects  of  verifi¬ 
ability  in  the  computational  model  of  cryptography.  We  show 


lDoveryai,  no  proverycii  (trust,  but  verify)  says  the  Russian  proverb. 

2This  decomposition  has  been  criticized  1 9 1 1 ;  we  refute  that  criticism  in 
Section  |VII| 


that  individual  and  universal  verifiability  are  orthogonal,  and 
that  eligibility  verifiability  implies  individual  verifiability. 

Because  some  electronic  voting  systems  implement  voter 
authentication  themselves,  whereas  other  systems  outsource 
voter  authentication  to  third  parties,  we  develop  two  variants  of 
our  definitions — one  for  systems  with  internal  authentication 
and  another  for  systems  with  external  authentication.  We 
employ  our  definitions  to  analyze  the  verifiability  of  two  well- 
known  election  schemes,  JCJ  (79]  and  Helios  (5).  JCJ  is  an 
election  scheme  that  achieves  coercion  resistance  and  has  been 
implemented  as  Civitas  |35)1;  it  implements  its  own  internal 
authentication.  Helios  is  a  web-based  voting  system  that  has 
been  deployed  in  the  real-world  and  outsources  authentication. 

The  Helios  2.0  election  scheme  is  known  to  have  vul¬ 
nerabilities  that  enable  attacks  on  verifiability,  and  several 
patches  for  those  vulnerabilities  have  been  proposed  jl9|,  (20), 
®  go).  By  employing  those  proposed  patches,  we  obtain 
a  scheme  called  Helios  4.0  that  satisfies  our  definition  of 
election  verifiability  with  external  authentication.  Helios  2.0, 
as  expected,  fails  to  satisfy  our  definition. 

The  JCJ  election  scheme  does  not  satisfy  our  definition 
of  eligibility  verifiability,  because  an  adversary  who  learns 
the  tallier’s  private  key  could  cast  unauthorized  votes.  We 
introduce  a  weakened  definition  of  eligibility  verifiability, 
incorporating  JCJ’s  trust  assumption  that  the  private  key  is 
unknown  to  the  adversary,  and  show  that  JCJ  satisfies  our 
weakened  definition  of  election  verifiability  with  internal  au¬ 
thentication. 

Our  definitions  of  election  verifiability  improve  upon  two 
previous  definitions  (38),  (79)  by  detecting  a  new  class  of 
collusion  attacks ,  in  which  the  tallying  algorithm  announces 
an  incorrect  tally,  and  the  verification  algorithm  colludes  with 
the  tallying  algorithm  to  accept  the  incorrect  tally.  Examples 
of  collusion  attacks  include  vote  stuffing,  and  announcing 
tallies  that  are  independent  of  the  election.  Our  definitions 
also  improve  upon  those  previous  definitions  by  detecting 
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a  new  class  of  biasing  attacks,  in  which  the  verification 
algorithm  rejects  some  legitimate  election  outcomes.  Examples 
of  biasing  attacks  include  rejecting  outcomes  in  which  a 
particular  candidate  does  not  win,  and  rejecting  all  election 
outcomes,  even  correct  outcomes. 

This  paper  thus  contributes  to  the  security  of  electronic 
voting  systems  by 

•  proposing  computational  definitions  of  election  verifiabil- 

ity, 

•  showing  that  individual,  universal,  and  eligibility  verifia¬ 
bility  are  mostly  orthogonal  properties  of  voting  systems, 

•  proving  that  well-known  election  schemes  do  (or  do  not) 
satisfy  election  verifiability,  and 

•  identifying  collusion  and  biasing  attacks  as  new  classes 
of  attacks  on  voting  systems  and  demonstrating  that  they 
are  not  detected  by  two  earlier  definitions. 


Ours  are  the  first  proofs  that  Helios  4.0  and  JCJ  satisfy  a 
computational  definition  of  verifiability. 

Structure:  Section  [II]  defines  election  verifiability  with  ex¬ 
ternal  authentication.  Section  [ill]  analyzes  Helios.  Section  IV 


defines  election  verifiability  with  internal  authentication.  Sec¬ 
tion  [V]  analyzes  JCJ.  Section  VI  introduces  collusion  and  bias¬ 


ing  attacks.  Section|VII| reviews  related  work,  and  Section  VIII 


concludes.  Appendix  |A|  defines  cryptographic  primitives.  The 
remaining  appendices  explore  alternative  definitions  of  verifi¬ 
ability,  give  the  details  of  Helios  and  JCJ,  and  present  proofs. 


II.  External  Authentication 

Some  election  schemes  do  not  implement  authentication 
themselves,  but  instead  rely  on  an  external  authentication 
mechanism.  Helios,  for  example,  supports  authentication  with 
Facebook,  Google  and  Yahoo  credentials]^]  In  essence,  the 
election  scheme  outsources  ballot  authentication.  We  begin  by 
defining  election  verifiability  for  that  model. 


A.  Election  scheme 

An  election  scheme  with  external  authentication,  which 
henceforth  in  this  section  we  abbreviate  as  “election  scheme,” 
is  a  tuple  (Setup,  Vote,  Tally,  Verify)  of  probabilistic  polyno¬ 
mial-time  (PPT)  algorithms: 

•  Setup,  denotecQ  {PKp,  SKp,  ms,  me)  t—  Setup  (A;),  is 
executed  by  the  tallier,  who  is  responsible  for  tallying 
ballots]^] Setup  takes  a  security  parameter  k  as  input  and 
outputs  a  key  pair  (PK 7-,  SK 7-),  a  maximum  number  of 
ballots  ms,  and  a  maximum  number  of  candidates  me 0 


'https://github.com/benadida/helios-server/tree/master/helios_auth/auth_ 
systems  accessed  4  Aug  2015. 

4Let  Alg(m;  r)  denote  the  output  of  probabilistic  algorithm  Alg  on  input 
in  and  random  coins  r.  Let  Alg(m)  denote  Alg(m;r),  where  r  is  chosen 
uniformly  at  random.  And  let  denote  assignment. 

5  Some  election  schemes  (e.g.,  Helios  and  JCJ)  permit  the  tallier’s  role  to  be 
distributed  amongst  several  talliers.  For  simplicity,  we  consider  only  a  single 
tallier  in  this  paper. 

6The  maximum  ballots  and  candidate  numbers  are  used  to  formalize 
Correctness.  Helios  requires  that  the  maximum  number  of  ballots  is  less  than 
or  equal  to  the  size  of  the  underlying  encryption  scheme’s  message  space,  and 
JCJ  requires  that  the  maximum  number  of  candidates  is  less  than  or  equal  to 
the  size  of  the  underlying  encryption  scheme’s  message  space. 


•  Vote,  denoted  b  •<—  \/ote(PKp,  nc,  P,  k),  is  executed 
by  voters.  A  voter  makes  a  choice  of  candidate  from 
a  sequence  Ci,...,cnc  of  candidates.  A  well-formed 
choice  is  an  integer  p,  such  that  1  <  (3  <  nc-  Vote  takes 
as  input  the  public  key  PK 7-  of  the  tallier,  the  number 
nc  of  candidates,  the  voter’s  choice  (3  of  candidate,  and 
security  parameter  k.  It  outputs  a  ballot  b,  or  error  symbol 
JL.  An  error  might  occur  if  the  candidate  choice  is  not 
well-formed  or  for  other  reasons  particular  to  the  election 
scheme. 

.  Tally,  denoted  (X,  P)  <-  Tally(PAr ,  SKr,  BB,  nc,  k), 
is  executed  by  the  tallier.  It  involves  a  public  bulletin 
board  BB,  which  we  model  as  a  set[(]  Tally  takes  as 
input  the  public  key  PK 7-  and  private  key  SK 7-  of  the 
tallier,  the  bulletin  board  BB,  the  number  of  candidates 
nc,  and  security  parameter  k.  It  outputs  a  tally  X  and  a 
non-interactive  proof  P  that  the  tally  is  correct.  A  tally 
is  a  vector  X  of  length  nc  such  that  X[j]  indicates  the 
number  of  votes  for  candidate  Cj  [*] 

•  Verify,  denoted  v  <—  Verify(PA^7-,  BB,  nc,  X,  P,  k),  can 
be  executed  by  anyone  to  audit  the  election.  Verify  takes 
as  input  the  public  key  PK 7-  of  the  tallier,  the  bulletin 
board  BB,  the  number  of  candidates  nc,  a  tally  X,  a 
proof  P  of  correct  tallying,  and  security  parameter  k.  It 
outputs  a  bit  v,  which  is  1  if  the  tally  successfully  verifies 
and  0  otherwise.  We  assume  that  Verify  is  deterministic. 

Election  schemes  must  satisfy  Correctness,  which  asserts 
that  tallies  produced  by  Tally  corresponds  to  the  choices  input 
to  Vote: 

Definition  1  (Correctness).  There  exists  a  negligible  function 
fi,  such  that  for  all  security  parameters  k,  integers  ns  and 
nc,  and  choices  pi, ,  f3nB  £  { 1, . . . ,  nc},  it  holds  that 
ifY  is  a  vector  of  length  nc  whose  components  are  all  0,  then 

Pr[(PK-j-,  SKp,  ms,  me)  A-  Setup(fc); 

for  1  <  i  <  ns  do 

bi  «-  Vot e(PATr,  nc,  Pi,  k)\ 

_  Y  \pi\  <-  Y  \Pi]  +  1; 

BB  •<—  {(q, . . . ,  bnB  }; 

(X,  P)  <-  Tally(PA:r,  SKr,  BB,  nc,  k)  : 

ns  <  ms  A  nc  <  me  =>•  X  =  Y]  >  1  —  p{k). 

Note  that  Correctness  does  not  involve  an  adversary.  Correct¬ 
ness  therefore  stipulates  that,  under  ideal  conditions,  an  elec¬ 
tion  scheme  does  indeed  produce  the  correct  tally.  Correctness 
is  not  actually  necessary  to  achieve  verifiability:  our  definition 
of  universal  verifiability  will  ensure  that,  in  the  presence  of 
an  adversary.  Verify  detects  any  errors  in  the  tally.  But  it  is 
reasonable  to  rule  out  election  schemes  that  simply  do  not 
work  properly  under  ideal  conditions. 

7Bulletin  boards  have  also  been  modeled  as  public  broadcast  channels  |43), 
(M).  |103|.  We  abstract  from  the  details  of  channels  by  employing  sets  to 
represent  the  data  sent  on  them.  We  favor  sets  over  multisets,  because  Cortier 
and  Smyth  [39|,  |40|  demonstrate  attacks  against  privacy  when  the  bulletin 
board  is  modeled  as  a  multiset. 

8 Let  X[i]  denote  component  i  of  vector  X. 
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Election  schemes  must  also  satisfy  Completeness,  which 
stipulates  that  tallies  produced  by  Tally  will  actually  be 
accepted  by  Verify: 

Definition  2  (Completeness).  There  exists  a  negligible  func¬ 
tion  p,  such  that  for  all  security  parameters  k,  bulletin  boards 
BB,  and  integers  nc,  it  holds  that 

Pv[{PKr,  Slip,  ms ,  me)  A-  Setup(/c); 

(X,  P)  «-  Tally(PXr,  SKT,  BB ,  nc,  k)  : 

\BB\  <  ms  A  nc  <  me  => 

Verify (PJfr,  BB,  nc,  X,  P,  k)  =  1]  >  1  -  /x(fc). 


Without  Completeness,  election  schemes  might  be  vulnerable 


to  biasing  attacks,  as  we  show  in  Section  VI-B 


Finally,  election  schemes  must  satisfy  Injectivity,  which 
asserts  that  a  ballot  cannot  be  interpreted  as  a  vote  for  more 
than  one  candidate: 


Definition  3  (Injectivity).  For  all  security  parameters  k,  public 
keys  PKj-,  integers  nc,  and  choices  ft  and  ft',  such  that  ft  7^ 
ft',  we  have 


Pr[6  «—  Vote(PXy,  nc,  ft,  k); 
b'  \Zote(PK'j-,  nc,  ft' ,  k)  : 
b  ^  X  A  b'  ^  1  =>  b  ±  b']  =  1. 


B.  Election  verifiability 

Election  verifiability  comprises  three  aspects:  individual, 
universal,  and  eligibility  verifiability.  We  express  each  as  an 
experiment ,  which  is  an  algorithm  that  outputs  0  or  1.  The 
adversary  wins  an  experiment  by  causing  it  to  output  1. 

1)  Individual  verifiability:  In  our  model  of  election 
schemes,  all  recorded  ballots  are  posted  on  the  bulletin  board. 
So  for  a  voter  to  verify  that  their  ballot  has  been  recorded,  it 
suffices  to  enable  them  to  uniquely  identify  their  ballot  on  the 
bulletin  boardjj] 

Individual  verifiability  experiment  Exp-IV-Ext(n,  A ,  k), 
where  fl  denotes  an  election  scheme,  A  denotes  the  adversary, 
and  k  denotes  a  security  parameter,  therefore  challenges  A  to 
generate  a  scenario  in  which  the  voter  cannot  uniquely  identify 
their  ballot.  In  essence,  Exp-IV-Ext  challenges  A  to  generate 
a  collision  from  Votep*]  If  A  cannot  win,  then  voters  can 
uniquely  identify  their  ballots  on  the  bulletin  board: 

Exp-IV-Ext(II,  A,  k)  = 

1  {PKr ,nc,ft,ft')  <—  A(k)\ 

2  b  <—  Vote(PXy,  nc,  ft,  k); 

3  b'  Vote (PK p,  nc,  ft',  k ); 

4  if  b  =  b'  A  6  7^  _L  A  (/  7^  i  then 
s  |  return  1 

6  else 

7  return  0 


Injectivity  ensures  that  distinct  choices  are  not  mapped  by 
Vote  to  the  same  ballot.  Without  Injectivity,  an  election 
scheme  might  produce  ballots  whose  meaning  is  ambiguous. 
For  example,  if  \/ote(PKp,  nc,  ft,  k;  r)  were  defined  to  be 
ft  +  r,  then  a  ballot  b  could  be  tallied  as  any  well-formed 
choice  ft'  such  that  ft'  =  b  —  r'  for  some  r' .  But  that  definition 
of  Vote  is  prohibited  by  Injectivity.  Thus,  Injectivity  helps 
to  ensure  that  the  choices  used  to  construct  ballots  can  be 
uniquely  tallied. 

Limitations:  Our  model  of  election  schemes  is  sufficient 
to  analyze  Helios  and,  after  we  extend  the  model  to  handle 
internal  authentication  in  Section [lV-A|  JCJ.  These  are  notable 
schemes,  and  formally  analyzing  their  verifiability  is  a  novel 
contribution.  But  there  are  other  notable  schemes  that  fall 
outside  our  model: 

•  Pret  a  Voter  MarkPledge  0,  Scantegrity  II  J28), 
and  Remotegrity  GED  all  rely  on  features  implemented 
with  paper,  such  as  scratch-off  surfaces  and  detachable 
columns. 

•  Everlasting  privacy  {95),  which  requires  Vote  to  output 
a  public  ballot  and  a  secret  proof,  involving  temporal 
information,  to  the  voter. 

•  Scytl’s  Pnyx.core  ODBP  1.0  [34J,  which  requires  the 
bulletin  board  to  be  divided  into  two  parts:  a  public  part 
visible  to  all  participants,  and  a  secret  part  visible  only 
to  election  administrators. 

We  leave  extension  of  our  model  to  other  election  schemes  as 
future  work. 


Line  1  asks  A  to  compute  two  candidate  choices  ft  and  ft', 
such  that  ballots  b  and  b'  for  those  choices,  as  computed  by 
Vote  in  lines  2  and  3,  are  equal.  Individual  verifiability  thus 
resembles  Injectivity,  but  individual  verifiability  allows  choices 
to  be  equal  and  allows  A  to  choose  election  parameters. 

One  way  to  achieve  individual  verifiability  is  to  base  the 
election  scheme  on  a  probabilistic  encryption  scheme,  such  as 
El  Gamal  0.  Intuitively,  if  Vote  encrypts  the  choice  using 
random  coins,  then  it  is  overwhelmingly  unlikely  that  two 
votes  will  result  in  the  same  ballot.  Our  proofs  that  Helios 
and  JCJ  satisfy  individual  verifiability  are  based  on  this  idea. 

Clash  attacks:  In  a  clash  attack  |93|,  the  adversary 
convinces  some  voters  that  a  single  ballot  belongs  to  them 
all.  Some  clash  attacks  are  possible  because  of  vulnerabilities 
in  the  design  of  Vote.  For  example,  if  Vote  simply  outputs 
candidate  choice  ft,  then  a  voter  has  no  way  to  distinguish 
their  vote  for  ft  from  another  voter’s  vote  for  ft.  Exp-IV-Ext 
detects  clash  attacks  resulting  from  vulnerabilities  in  Vote. 

Some  clash  attacks,  however,  are  possible  because  the 
adversary  subverts  the  implementation  of  Vote.  For  example, 
the  adversary  might  replace  some  hardware  or  software,  or 
compromise  the  random  number  generator.  If  any  one  of 
these  aspects  is  compromised,  then  Vote  has  effectively  been 
changed  to  a  different  algorithm  Vote\  The  conclusions  drawn 

^Section  |VIIl|  addresses  the  complementary  issue  of  whether  a  recorded 
ballot  corresponds  to  the  candidate  choice  a  voter  intended  to  make. 

ulExp-IV-Ext  can  be  equivalently  formulated  as  an  experiment  that  chal¬ 
lenges  A  to  predict  the  output  of  Vote.  See  Appendix  [bJ  for  details. 
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by  a  security  analyst  who  uses  our  definition  of  individual  ver¬ 
ifiability  to  analyze  Vote  would  not  necessarily  be  applicable 
to  Vote\ 

In  short,  a  voter  can  verify  that  their  ballot  has  been  recorded 
if  and  only  if  they  run  the  correct  Vote  algorithm.  We  make 
no  guarantees  to  voters  that  do  not  run  the  correct  Vote 
algorithm.  One  way  to  make  stronger  guarantees  is  to  use  cut- 
and-choose  protocols  to  audit  ballots  HE  ©.  This  would 
require  modeling  voting  as  an  interactive  protocol  with  the 
adversary,  rather  than  as  an  algorithm.  We  leave  this  extension 
as  future  work. 

2)  Universal  verifiability:  For  an  election  to  be  universally 
verifiable,  anyone  must  be  able  to  check  that  a  tally  is  correct 
with  respect  to  recorded  ballots — that  is,  the  tally  represents 
the  choices  used  to  construct  the  recorded  ballots.  Because 
anyone  can  execute  Verify,  it  suffices  that  Verify  accepts  only 
when  that  property  holds. 

Universal  verifiability  experiment  Exp-UV-Ext(II,  A,  k) 
therefore  challenges  adversary  A  to  concoct  a  scenario  in 
which  Verify  incorrectly  accepts: 

Exp-UV-Ext(n,^,fc)  = 
t  (PKT,BB,nc,X.,P)  A(k)\ 

2  Y  correct-tally  (PKp,  BB  ,nc,k); 

3  if  X  yf  Y  A  Verify (PK p,  BB,  nc ,  X,  P,  k )  =  1  then 

4  |  return  1 
s  else 

6  |_  return  0 

In  line  1,  A  is  challenged  to  create  a  bulletin  board  BB  and 
purported  tally  X  of  that  bulletin  board.  Line  2  constructs 
the  correct  tally  Y  of  BB,  and  line  3  checks  whether  Verify 
accepts  an  incorrect  tally.  If  A  cannot  win  Exp-UV-Ext,  then 
Verify  will  not  accept  incorrect  tallies.  In  particular,  no  ballots 
can  be  omitted  from  the  tally,  and  at  most  one  candidate  choice 
can  be  included  in  the  tally  for  each  ballot. 

Let  function  correct-tally  be  defined  such  that  for  all  PKp, 
BB,  nc,  k,  l,  and  /3  £  {1, . . . ,  nc}, 

correct-tally  (PK  7- ,  BB,  nc,  k)[/3]  =  £ 

<<=►  3 =eb£  (BB\{±})  : 

3r  :  b  =  \/ote(PK 7-,  nc,  ft,  k;  r). 

The  vector  produced  by  correct-tally  must  be  of  length 
nc-  Component  /3  of  vector  correct- tally  (PKp ,  BB  ,nc  ,k) 
equals  l  iff  there  exisf^j  l  ballots  on  the  bulletin  board 
that  are  votes  for  candidate  ft.  It  follows  that  the  output 
of  correct-tally  represents  the  choices  used  to  construct  the 
recorded  ballots.  Note  that,  without  Injectivity,  the  existential 
quantification  in  correct-tally  could  permit  a  ballot  to  be 
tallied  for  more  than  one  candidate.  Of  course,  correct-tally 
cannot  be  computed  by  a  PPT  algorithm  for  typical  crypto¬ 
graphic  election  schemes.  But  that  does  not  matter,  because 

11  The  definition  of  correct-tally  employs  a  counting  quantifier  |l05| 
denoted  3=.  Predicate  (3=ix  :  P(x) )  holds  exactly  when  there  are  l  distinct 
values  for  x  such  that  P(x)  is  satisfied.  Variable  x  is  bound  by  the  quantifier, 
whereas  t  is  free. 


correct-tally  is  never  actually  computed  as  part  of  an  election 
scheme — its  use  is  solely  in  the  definition  of  Exp-UV-Ext^ 

Security  analysts  must  convince  themselves  that 
correct-tally  is  indeed  correct.  Because  of  the  function’s 
simplicity,  this  should  be  relatively  straightforward.  By 
comparison.  Tally  algorithms  for  real  voting  schemes  tend 
to  be  complicated.  For  example,  compare  the  complexity  of 
correct-tally  to  Helios’s  Tally  algorithm,  which  appears  in 
Figure  [I]  of  Appendix  [C] 

By  design,  Exp-UV-Ext  assumes  that  the  ballots  on  bulletin 
board  BB  are  exactly  the  ballots  that  should  be  tallied. 
The  external  authentication  mechanism  is  assumed  to  prohibit 
unauthorized  ballots  from  being  posted  on  BB.  Helios  makes 
such  an  assumption  about  its  external  authentication  mecha¬ 
nism. 

3)  Eligibility  verifiability:  For  an  election  to  satisfy  eligi¬ 
bility  verifiability,  anyone  must  be  able  to  check  that  every 
tallied  vote  was  cast  by  an  authorized  voter — that  is,  it  must 
be  possible  to  authenticate  ballots.  In  election  schemes  with 
external  authentication,  a  trusted  third  party  authenticates 
ballots.  That  third  party  might  convince  itself  that  all  tallied 
ballots  have  been  authenticated,  but  it  cannot  convince  all  other 
parties.  Eligibility  verifiability,  therefore,  is  not  achievable  in 
election  schemes  with  external  authentication. 

4)  Election  verifiability:  With  Exp-IV-Ext  and 

Exp-UV-Ext,  we  define  election  verifiability  with  external 
authentication.  Let  a  PPT  adversary’s  success  Succ(Exp(-)) 
in  an  experiment  Exp(-)  be  the  probability  that  the  adversary 
wins — that  is,  Succ(Exp(-))  =  Pr[Exp(-)  =  1], 

Definition  4  (Ver-Ext).  An  election  scheme  n  satisfies  elec¬ 
tion  verifiability  with  external  authentication  (Ver-Ext)  if  for 
all  PPT  adversaries  A,  there  exists  a  negligible  function 
p,  such  that  for  all  security  parameters  k,  it  holds  that 
Succ(Exp-IV-Ext(n,  A,  k))  +  Succ(Exp-UV-Ext(n,  A,  k))  < 
d{k). 

An  election  scheme  satisfies  individual  verifiability  if 
Succ(Exp-IV-Ext(n,  A,  k))  <  p(k),  and  similarly  for  univer¬ 
sal  verifiability. 

C.  Example — Toy  scheme  from  nonces 

A  toy  election  scheme  satisfying  Ver-Ext  can  be  based  on 
nonces.  Each  voter  publishes  a  nonce  paired  with  her  choice 
of  candidate  to  the  bulletin  board.  This  scheme  illustrates  the 
essence  of  election  verifiability,  even  though  it  does  not  offer 
any  privacy. 

Definition  5.  Election  scheme  Nonce  is  defined  as  follows: 

•  Setup(fc)  outputs  (_L,  -L,pi(k),p2(k)),  where  pi  and  p-2 
may  be  any  polynomial  functions. 

•  Vote(P/\ 7-,  nc,  ft,  k)  selects  a  nonce  r  uniformly  at 
random  from  Z2fc  and  outputs  (r,  /3). 

'-Kiayias  et  al.  ||83  ]  use  a  similar  super-polynomial  vote  extractor  to  recover 
choices  from  ballots  in  an  experiment  defining  verifiability. 
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•  Ta\\y(PK-y-,  SK-y-,  BB,nc,k)  computes  a  vector  X  of 
length  nc,  such  that  X  is  a  tally  of  the  votes  on  BB  for 
which  the  nonce  is  in  Z2fc,  and  outputs  (X,  _L). 

•  Verify(PX7-,  BB,  nc,  X,  P,  k)  outputs  1  if  (X,  P)  = 
Tally(_L,  _L,  BB,  nc,  k)  and  0  otherwise. 

Proposition  1.  Nonce  satisfies  Ver-Ext. 

Proof  sketch.  Nonce  satisfies  individual  verifiability,  because 
voters  can  use  their  nonce  to  check  that  their  own  ballot 
appears  on  the  bulletin  board.  With  overwhelming  probability. 
Vote  will  select  unique  nonces  for  each  voter,  hence  generate 
distinct  ballots.  Nonce  also  satisfies  universal  verifiability, 
because  plaintext  candidate  choices  are  posted  on  the  bulletin 
board.  □ 

D.  Orthogonality 

Exp-IV-Ext  and  Exp-UV-Ext  capture  orthogonal  security 
properties.  A  scheme  that  satisfies  individual  verifiability  but 
violates  universal  verifiability  can  be  constructed  from  Nonce 
by  modifying  Verify  to  always  output  1.  Voters  can  still  check 
that  their  own  ballot  appears.  But  an  adversary  can  easily  win 
Exp-UV-Ext,  because  Verify  will  accept  any  tally.  A  scheme 
that  satisfies  universal  verifiability  but  violates  individual 
verifiability  can  be  constructed  from  Nonce  by  removing  the 
nonces,  leaving  just  the  voter’s  choice  in  the  ballots.  Call 
that  scheme  Choice.  Anyone  can  still  verify  the  tally  of  the 
election,  but  an  adversary  can  easily  win  Exp-IV-Ext,  because 
two  votes  for  the  same  candidate  will  collide. 

III.  Case  Study:  Helios 


decrypted  to  reveal  the  tally.  Informally,  Helios  works  as 
follows: 

•  Setup.  The  tallier  generates  a  key  pair  for  a  homomorphic 
encryption  scheme  and  publishes  the  public  key. 

•  Voting.  A  voter  encrypts  her  candidate  choice  with  the 
tallier’s  public  key,  and  she  proves  in  zero  knowledge  that 
the  ciphertext  contains  a  well-formed  choice.  The  voter 
posts  her  ballot  (i.e.,  ciphertext  and  proof)  on  the  bulletin 
board.  During  posting,  the  bulletin  board  is  assumed  to 
correctly  authenticate  voters. 

•  Tallying.  The  tallier  discards  any  ballots  from  the  bulletin 
board  for  which  proofs  do  not  hold.  The  tallier  homomor- 
phically  combines  the  ciphertexts  in  the  remaining  bal¬ 
lots,  decrypts  the  homomorphic  combination,  and  proves 
in  zero  knowledge  that  decryption  was  performed  cor¬ 
rectly.  Finally,  the  tallier  publishes  the  winning  candidate 
and  proof  of  correct  decryption. 

•  Verification.  A  verifier  recomputes  the  homomorphic 
combination  and  checks  all  the  zero-knowledge  proofs. 

We  give  a  formal  description  of  Helios  4.0  in  Appendix |C|16| 
Using  that  formalization,  we  can  prove  that  Helios  4.0  is 
verifiable: 

Theorem  2.  Helios  4.0  satisfies  Ver-Ext. 

Proof  sketch.  Helios  4.0  satisfies  individual  verifiability,  be¬ 
cause  the  probabilistic  encryption  scheme  ensures  that  ballots 
are  unique,  with  overwhelming  probability.  And  Helios  4.0 
satisfies  universal  verifiability,  because  the  zero-knowledge 
proofs  can  be  publicly  verified.  D 


Helios  is  an  open-source,  web-based  electronic  voting  sys¬ 
tem)^]  Helios  has  been  deployed  in  the  real-world:  the  Interna¬ 
tional  Association  of  Cryptologic  Research  (IACR)  has  used 
Helios  annually  since  2010  to  elect  board  members  (16),  (65), 
(72),  the  Catholic  University  of  Louvain  used  Helios  to  elect 
the  university  president  (5),  and  Princeton  University  has  used 
Helios  to  elect  several  student  governments  (3j,  |99|. 

Attacks  have  been  discovered  against  the  original  Helios 
scheme,  and  defenses  against  those  attacks  have  been  pro¬ 
posed  (T9),  (20),  (39),  0*3 ■  For  clarity,  we  write  Helios  2.0 
to  refer  to  the  Helios  scheme  as  originally  proposed  (5)  and 
Helios  4.0  to  refer  to  a  version  of  Helios  that  incorporates 
the  defenses^]  When  referring  in  general  to  both  of  these 
schemes,  we  simply  write  Helios. 

To  achieve  verifiability  while  maintaining  ballot  se¬ 
crecy  03-  |20),  Helios  homomorphic  ally  encrypts  candidate 
choices.  During  tallying,  all  encrypted  choices  are  homomor- 
phically  combinecf^j  into  a  single  ciphertext,  which  is  then 


1  -  https://vote.heliosvoting.org/ 

14 Our  analysis  of  Helios  4.0  is  based  on  the  specification  (Sj  for  the  next 
release.  This  specification  incorporates  proposals  by  Cortier  and  Smyth  |40| 
for  non-malleable  ballots  and  by  Bernhard  et  al.  [20|  to  replace  the  weak 
Fiat-Shamir  transformation  with  the  strong  Fiat-Shamir  transformation. 

15  The  homomorphic  combination  of  ciphertexts  is  straightforward  for  two- 
candidate  elections  ED  EZ),  [36|,  (69),  [102|,  since  choices  (e.g.,  “yes” 
or  “no”)  can  be  encoded  as  1  or  0.  Multi-candidate  elections  are  also 
possible  0-  0  0- 


A  formal  proof  of  Theorem  [2]  appears  in  Appendix  [D]  The 
proof  assumes  the  random  oracle  model  0. 

We  would  not  expect  Ver-Ext  to  hold  for  Helios  2.0,  because 
of  known  attacks  l|20) .  Accordingly,  we  prove  that  Helios  2.0 
does  not  satisfy  Ver-Ext  in  Appendix  [E] 


IV.  Internal  Authentication 

Some  election  schemes  implement  their  own  authentication 
mechanisms.  JCJ  (77)-(79)  and  Civitas  (35),  for  example, 
authenticate  ballots  based  on  credentials  issued  to  voters  by 
a  registration  authority.  Schemes  with  this  kind  of  internal 
authentication  enable  verification  of  whether  tallied  ballots 
were  cast  by  authorized  voters. 


A.  Election  scheme 

A  registrar  is  responsible  for  issuing  authentication  creden¬ 
tials  to  voters  [3  Each  voter  is  associated  with  a  credential  pair 
( pk ,  sk).  The  voter  uses  private  credential  sk  to  construct 
a  ballot.  Public  credential  pk  is  used  during  tallying  and 
verification.  Let  L  denote  the  electoral  roll ,  which  is  the  set 
of  all  public  credentials. 


16Our  formalization  is  the  first  cryptographic  description  of  Helios  4.0, 
hence  an  additional  contribution  of  this  work. 

17Some  election  schemes  (e.g.,  JCI)  permit  the  registrar’s  role  to  be 
distributed  among  several  registrars.  For  simplicity,  we  consider  only  a  single 
registrar  in  this  paper. 
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An  election  scheme  with  internal  authentication ,  which 
henceforth  in  this  section  we  abbreviate  as  “election  scheme,” 
is  a  tuple  (Setup,  Register,  Vote,  Tally,  Verify)  of  PPT  algo¬ 
rithms.  The  algorithms  are  now  denoted  as  follows: 

•  {PK 7-,  SKj-,  ms,  me)  4-  Setup(fc) 

•  {pk,  sk)  4-  Register(P/l 7-,  k) 

•  b  4-  Vote(sfc,  PKj-,  nc,  P,  k) 

.  (X,  P )  <-  Tally(PXr,  SKr ,  BB ,  L,  nc,  k) 

•  v  4-  Verify  {PKp,  BB,  L,  nc,  X,  P,  k) 


Setup  is  unchanged  from  election  schemes  with  external 
authentication  (cf.  jll-A  1.  The  only  change  to  Vote  is  that  it 
now  accepts  private  credential  sk  as  input.  Similarly,  the  only 
change  to  Tally  and  Verify  is  that  they  now  accept  electoral 
roll  L  as  input.  Register  is  executed  by  the  registrar.  It  takes  as 
input  the  public  key  PK 7-  of  the  tallier  and  security  parameter 
k,  and  it  outputs  a  credential  pair  ( pk,sk ).  After  all  voters 
have  been  registered,  the  registrar  certifies  the  electoral  roll, 
perhaps  by  digitally  signing  and  publishing  itf***] 

Election  schemes  must  continue  to  satisfy  Correctness, 
Completeness,  and  Injectivity,  which  we  update  to  include 
private  credentials  and  the  electoral  roll: 


Definition  6  (Correctness).  There  exists  a  negligible  function 
p,  such  that  for  all  security  parameters  k,  integers  tib  and 
nc,  and  choices  Pi, ,  pnB  £  {1, . . . ,  nc},  it  holds  that 
ifY  is  a  vector  of  length  nc  whose  components  are  all  0,  then 


P' ,  we  have 

Pr [{pk,sk)  4-  Register  {PKp,  k); 

{ pk'  ,sk' )  4-  Register(PX-7-,  k); 
b  4—  Vote{sk,  PKp,  nc,  P,  fc); 
b'  4—  Vot e{sk',  PKp,  nc,  P' ,  k )  : 
b  ±  J_  A  b'  ±  _L  =>  b  ±  b']  =  1. 

B.  Election  verifiability 

Recall  (from  jll-B[i  that  election  verifiability  is  expressed 
with  experiments,  and  that  an  adversary  wins  by  causing  an 
experiment  to  output  1.  We  henceforth  assume  that  the  adver¬ 
sary  is  stateful — that  is,  information  persists  across  invocations 
of  the  adversary  in  a  single  experiment.  Our  experiments  in 
Section  [II]  did  not  need  this  assumption,  because  they  never 
invoked  the  adversary  more  than  once. 

In  our  experiments,  below,  we  model  an  adversary  who 
cannot  corrupt  the  registration  process  that  issues  credentials 
to  voters  F7!  Hence  our  definitions  will  not  detect  attacks 
against  verifiability  that  result  solely  from  weaknesses  in  the 
registration  process.  Secure  construction  of  electoral  rolls  is 
not  a  topic  that  electronic  voting  usually  addresses — though  it 
seems  an  important  part  of  any  real-world  deployment. 

1 )  Individual  verifiability:  The  individual  verifiability  ex¬ 
periment  again  challenges  adversary  A  to  generate  a  scenario 
in  which  the  voter  could  not  uniquely  identify  their  ballotp*] 


Pi[(PKp,  SKp,  uib,  me)  4-  Setup(fc); 
for  1  <  i  <  ns  do 

( pki,skf)  4-  Register  {PKp,  k)m, 
bi  4-  Vote{skz,  PKr,  nc,  Pi,  k)\ 

_  Y\fii]  4-  Y[A]  +  1; 

B  4-  {pk1,...,pknB}-, 

BB  s—  {hi, . . . ,  bnB}\ 

(X,  P )  <-  Tally(PXr,  SKr,  BB,  L,  nc,  k)  : 
ns  <  tub  A  nc  <  me  =>  X  =  Y]  >  1  —  p(k). 

Definition  7  (Completeness).  There  exists  a  negligible  func¬ 
tion  p,  such  that  for  all  security  parameters  k,  bulletin  boards 
BB,  and  integers  nc  and  ny,  it  holds  that 

Px[{PK'f,  SKp,  ms,  me)  4-  Setup(fc); 

for  1  <  *  <  riy  do  (pkijSkf)  4-  Register (PKp,k); 

L  4-  {pk1,...,pknv}] 

(X,  P)  4-  Tally (PKr,  SKr,  BB,  L,  nc,  k)  : 

\BB\  <  ms  A  nc  <  me  => 

Verify(PiT7-,  BB ,  L,  nc,  X,  P,  k)  =  1]  >  1  —  /i(/c). 

Definition  8  (Injectivity).  For  all  security  parameters  k,  public 
keys  PKp,  integers  nc,  and  choices  and  /3't  such  that  f3  ^ 

18It  might  seem  surprising  that  Register  does  not  require  the  registrar  to 
provide  any  private  keys  as  input.  But  in  constructions  of  election  schemes 
with  internal  authentication,  e.g.,  |35|,  (79),  the  registrar  does  not  sign 
credential  pairs  with  its  own  private  key.  Rather,  the  registrar  signs  the 
electoral  roll. 


Exp-IV-lnt(n,  A,  k)  = 

1  ( PKr,nv )  4-  A{k)\ 

2  for  1  <i<  ny  do  ( pkt,ski )  4—  Register (PKp,k) 

3  L  4-  {pk1,...,pknvy, 

4  Crpt  4-  0; 

s  (nc,P,P',i,j)  4-  AC(L)\ 

6  b  4-  Vote(sfcj,  PKj-,  nc,P,  k)\ 

7  b'  4-  Vot e(skj,  PKp,  nc,  P',  fc); 

8  if 

b  =  b'  A  b  _L  A  b'  _L  A  i  j  A  ski  &  Crpt  A  skj  £  Crpt 

then 

9  |  return  1 
to  else 

li  return  0 


The  main  differences  from  the  corresponding  experiment  for 
external  authentication  ((II-B1 1  are  that  voters  are  registered  in 
line  2,  and  that  A  is  given  access  to  an  oracle  C  in  line  5.  The 
oracle  is  used  to  model  A  corrupting  voters  and  learning  their 
private  credentials:  on  invocation  C(£),  where  1  <  I  <  ny, 
the  oracle  records  that  voter  I  is  corrupted  by  updating  Crpt 
to  be  CrptU{ske}  and  outputs  skg.  In  line  5,  the  voter  indices 
output  by  A  must  be  legal  with  respect  to  ny,  but  we  elide 
that  detail  from  the  experiment  for  simplicity.  Line  8  ensures 
that  A  cannot  trivially  win  by  corrupting  voters. 


l9Kiisters  and  Truderung  |;89j  explore  some  consequences  of  permitting 
adversarial  influence  during  registration. 

20Unlike  Exp-IV-Ext,  a  variant  of  Exp-IV-Int  that  challenges  A  to  predict 
the  output  of  Vote  is  strictly  stronger.  See  Appendix  [b]  for  details. 
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2)  Universal  verifiability:  The  universal  verifiability  exper¬ 
iment  again  challenges  A  to  concoct  a  scenario  in  which  Verify 
incorrectly  accepts: 


Eligibility  verifiability  experiment  Exp-EV-Int  therefore 
challenges  A  to  produce  a  ballot  under  a  private  credential 
that  A  does  not  know: 


Exp-UV-lnt(II,  A,  k)  = 

r  (PKp,ny)  A(k)\ 

2  for  1  <  i  <  ny  do  ( pki ,  ski)  <—  Register(PAV,  k ) 

3  Li-  {pk1,...,pknvy, 

4  M  <-  {(pk1,  ski),  ■  ■  ■ ,  {pknv,  sknv)}\ 
s  (BB,nc,X.,P)  <-  A(M)-, 

6  Y  <r-  correct-tally  (PKp,  BB ,  M,nc,k)\ 

7  if  X  y  Y  A  Verify(PATr,  PP,  L ,  nc,  X,  P,  k)  =  1  then 

8  |  return  1 

9  else 

to  return  0 


The  main  differences  from  the  corresponding  experiment  for 


external  authentication  (f  II-B2 )  are  that  voters  are  registered 
in  line  2,  and  their  credential  pairs  are  used  in  the  rest  of  the 
experiment. 

Function  correct-tally  is  now  modified  to  tally  only  autho¬ 
rized  ballots.  A  ballot  is  authorized  if  it  is  constructed  with  a 
private  credential  from  M,  and  that  private  credential  was  not 
used  to  construct  any  other  ballot  on  BB.  By  comparison,  the 


original  correct-tally  function  (f  II-B2 1  tallies  all  the  ballots 
on  BB. 

Formally,  let  function  correct-tally  now  be  defined  such 
that  for  all  PKp,  BB,  M,  nc,  k,  i,  and  p  G  {1, . . . ,  nc}, 

correct-tally (PKj- ,  BB,  M,  nc,  k)[fi\  =  £ 

3~eb  £  authorized(PK j-,(BB\  {_L}) ,  M,nc,k)  : 

3 sk,  r  :  b  =  Vote(sfc,  PKp,  nc,  P,  k ;  r). 


Let  authorized  be  defined  as  follows: 


authorized{PKj- ,  BB,  M,  nc,  k)  = 

{b:  be  BB 

A  3 pk,  sk,  P,r  :  b  =  Vot e(sk,  PKp,  nc,  P,  fc;  r) 

A  (pk,  sk)  e  M  A  p' ,  r'  :  b'  G  (BB  \  {6}) 

A  b'  =  Vote(sfc,  PKj-,  nc,  P' ,  k;  r')}. 

Function  authorized  discards  all  revotes — that  is,  if  there  is 
more  than  one  ballot  submitted  with  a  private  credential  sk, 
then  all  ballots  submitted  under  that  credential  are  discarded. 
Therefore,  election  schemes  that  permit  revoting  cannot  by 
analyzed  with  this  definition  of  authorized.  But  alternative 
definitions  of  authorized  are  possible — for  example,  if  ballots 
were  timestamped,  authorized  could  discard  all  but  the  most 
recent  ballot  submitted  under  a  particular  credential. 

3)  Eligibility  verifiability:  Recall  (from  §II-B3|)  that  for 
an  election  scheme  to  satisfy  eligibility  verifiability,  anyone 
must  be  able  to  check  that  every  tallied  vote  was  cast  by  an 
authorized  voter — that  is,  it  must  be  possible  to  authenticate 
ballots.  Because  voters  are  issued  credential  pairs  that  can 
be  used  to  authenticate  ballots,  it  suffices  to  ensure  that 
knowledge  of  a  private  credential  is  necessary  to  construct 
an  authentic  ballot. 


Exp-EV-lnt(II,  A,  k)  = 

r  (PKq- ,ny)  4—  A(k)\ 

2  for  1  <  i  <  ny  do  (pki,  ski)  Reg\ster(PKp,k)', 

3  L  i  {pk1,...,pknvy, 

4  Crpt  e-  0;  Rvld  e-  0; 

5  (nc,P,i,b)  <-  Ac’r(L)-, 

6  if  3  r  :b  =  Vot  e(sfc,;,  PKj-,  nc,  P,  k]  r)  A  b  ^  _L  A  b  $ 
Rvld  A  ski  Crpt  then 

7  |  return  1 

8  else 

9  return  0 


In  line  1,  A  chooses  the  talker’s  public  key  and  the  number  of 
voters.  Line  2  registers  voters.  A  is  not  permitted  to  influence 
registration  while  it  is  in  progress.  In  particular,  A  is  not 
permitted  to  choose  credential  pairs,  because  by  doing  so  A 
could  trivially  win  the  experiment. 

Line  4  initializes  two  sets:  Crpt  is  a  set  of  voters  who 
have  been  corrupted,  meaning  that  A  has  learned  their  private 
credential,  and  Rvld  is  a  set  of  ballots  that  have  been  revealed 
to  A.  The  former  set  models  A  coercing  voters  to  reveal  their 
private  credentials.  The  latter  set  models  A  observing  ballots 
on  the  bulletin  board. 

Line  5  challenges  A  to  produce  a  ballot  b  with  the  help 
of  two  oracles.  Oracle  C  is  the  same  oracle  as  in  Exp-IV-Int 
(cf.  '  IV-B 1  i;  it  leaks  the  private  credentials  of  corrupted  voters 
to  A.  Oracle  R  reveals  ballots.  On  invocation  R(i,  p,nc), 
where  1  <  *  <  ny,  oracle  R  does  the  following: 


•  Computes  a  ballot  b  that  represents  a  vote  for  candidate 
P  by  a  voter  with  private  credential  ski,  that  is,  computes 
b  Vot e(ski,  PKp,  nc,  P,  k). 

•  Records  b  as  being  revealed  by  updating  Rvld  to  be 
Rvld  U{b}. 

•  Outputs  b. 

In  line  6,  A  wins  if  (i)  the  ballot  is  authentic,  meaning  that 
it  is  the  output  of  Vote  on  an  authorized  credential,  and  (ii) 
that  credential  belongs  to  a  voter  that  A  did  not  corrupt,  and 
(iii)  that  ballot  was  not  revealed.  If  A  cannot  succeed  in  this 
experiment,  then  only  authorized  votes  are  tallied. 

4)  Election  verifiability:  With  Exp-IV-Int,  Exp-UV-Int,  and 
Exp-EV-Int,  we  define  election  verifiability  with  internal  au¬ 
thentication. 


Definition  9  (Ver-lnt).  An  election  scheme  II  satisfies  elec¬ 
tion  verifiability  with  internal  authentication  (Ver-lnt)  if  for 
all  PPT  adversaries  A,  there  exists  a  negligible  function 
y.,  such  that  for  all  security  parameters  k,  it  holds  that 
Succ(Exp-IV-lnt(II,  A,  k))  +  Succ(Exp-UV-lnt(II,  A,  k))  + 
Succ(Exp-EV-lnt(II,  A,  k))  <  p(k). 

An  election  scheme  satisfies  eligibility  verifiability  if 
Succ(Exp-EV-lnt(II,  A,  k))  <  p(k),  and  similarly  for  indi¬ 
vidual  and  universal  verifiability. 
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C.  Example — Toy  schemes  from  digital  signatures 

A  toy  election  scheme  satisfying  Ver-lnt  can  be  based 
on  a  digital  signature  scheme  (Gen.  Sign,  Ver)p*|  Each  voter 
publishes  their  signed  candidate  choice  on  the  bulletin  board. 

Definition  10.  Election  scheme  Sig  is  defined  as  follows: 

•  Setup(fc)  outputs  (.L,  -L,pi(k),p2(k)),  where  p\  and  p-2 
may  be  any  polynomial  functions. 

•  Register (PKp,k)  computes  ( pk,sk )  <—  Gen(lA:)  and 
outputs  ( pk ,  sk). 

•  Vote(sfc,  PK-p,  nc,  /3,  k)  outputs  (f3,  Sign(sfc,  /?)). 

•  Ta\\y(PK'Y,  SKp,  BB ,  L,nc,  k)  computes  a  vector  X 
of  length  nc,  such  that  X  is  a  tally  of  all  the  ballots 
on  BB  that  are  signed  by  distinct  private  keys  whose 
corresponding  public  keys  appear  in  L,  and  outputs 

(X.JL). 

•  Verify(5A^ 7-,  55,  5,  nc,  X,  P,  fc)  outputs  1  i/(X,P)  = 
Tally(_L,  _L,  BB,  5,  nc,  -L)  and  0  otherwise. 

The  verifiability  of  Sig  follows  from  the  security  of  the 
underlying  signature  scheme: 

Proposition  3.  If  (Gen,  Sign,  Ver)  is  a  signature  scheme 
satisfying  existential  unforgeablility  under  adaptive  chosen- 
message  attackj^then  Sig  satisfies  Ver-lnt. 

Proof  sketch.  Sig  satisfies  individual  verifiability,  because  vot¬ 
ers  can  verify  that  their  signed  choices  appear  on  the  bulletin 
board.  Sig  satisfies  universal  verifiability,  because  signed  plain¬ 
text  choices  are  posted  on  55.  Finally,  Sig  satisfies  eligibility 
verifiability,  because  anyone  can  check  that  the  signed  choices 
belong  to  registered  voters.  □ 

D.  Orthogonality 

Exp-IV-Int,  Exp-UV-Int,  and  Exp-EV-Int  capture  mostly 
orthogonal  security  properties,  as  shown  in  Table  [I]  Individ¬ 
ual  and  universal  verifiability  are  orthogonal,  and  eligibility 
verifiability  implies  individual  verifiability. 

Theorem  4.  If  an  election  scheme  II  satisfies  Exp-EV-Int, 
then  II  also  satisfies  Exp-IV-Int. 

Proof  sketch.  If  II  satisfies  Exp-EV-Int,  then  no  one  can 
construct  a  ballot  that  appears  to  be  associated  with  public 
credential  pk  unless  they  know  private  credential  sk.  That 
means  that  a  voter  can  uniquely  identify  their  ballot,  because 
no  one  else  knows  their  private  credential.  Therefore  II  satis¬ 
fies  Exp-IV-Int.  □ 

The  proof  of  Theorem  [4]  appears  in  Appendix  [F] 

In  Table  [I]  AlwaysVerify(-)  is  a  function  that  transforms 
an  election  scheme  by  compromising  Verify  to  always  re¬ 
turn  1.  Thus,  AlwaysVerify(II)  is  guaranteed  not  to  satisfy 
Exp-UV-Int.  Similarly,  IgnoreCreds(-)  is  a  function  that  ac¬ 
cepts  as  input  an  election  scheme  with  external  authentication 
and  returns  as  output  an  election  scheme  with  internal  au¬ 
thentication.  The  resulting  scheme,  however,  simply  ignores 

21  Digital  signature  schemes  are  defined  in  Appendix  |a| 

“This  security  property  is  defined  in  Appendix  A 


Line 

IV 

uv 

EV 

Scheme 

1 

X 

X 

X 

AlwaysVerify(lgnoreCreds(Choice)) 

2 

X 

X 

/ 

— 

3 

X 

✓ 

X 

IgnoreCreds(Choice) 

4 

X 

/ 

/ 

— 

5 

/ 

X 

X 

AlwaysVerify(lgnoreCreds(  Nonce)) 

6 

/ 

X 

/ 

AlwaysVerify(Sig) 

7 

/ 

/ 

X 

Malleable  Sig 

8 

/ 

✓ 

✓ 

Sig 

TABLE  I 

Election  schemes  that  satisfy  each  combination  of  individual, 

UNIVERSAL  AND  ELIGIBILITY  VERIFIABILITY 


credentials  altogether:  Register  returns  (_L,  _L),  Vote  ignores 
sk,  and  Tally  and  Verify  ignore  L.  Thus,  IgnoreCreds(II)  is 
guaranteed  not  to  satisfy  Exp-EV-Int.  Using  those  functions, 
we  briefly  explain  each  line  of  the  table: 

1)  Recall  (from  §II-D|i  that  Choice  is  the  election  scheme  in 
which  ballots  contain  only  the  plaintext  candidate  choice. 
By  compromising  Verify  and  ignoring  credentials,  we 
obtain  a  scheme  that  satisfies  no  properties. 

2)  By  Theorem  [4]  this  situation  is  impossible. 

3)  Compared  to  line  1  of  Table  [I]  this  scheme  satisfies 
Exp-UV-Int,  because  Verify  is  not  compromised. 

4)  By  Theorem  |4j  this  situation  is  impossible. 

5)  Nonce  satisfies  Exp-IV-Ext  and  Exp-UV-Ext.  Moreover, 
IgnoreCreds(Nonce)  satisfies  Exp-IV-Int  and  Exp-UV-Int. 
By  compromising  Verify,  we  obtain  a  scheme  that  satis¬ 
fies  only  Exp-IV-Int. 

6)  Sig  satisfies  all  three  properties.  By  compromising  Verify, 
we  obtain  a  scheme  that  satisfies  only  Exp-IV-Int  and 
Exp-EV-Int. 

7)  By  making  Sig’s  underlying  signature  scheme  mal¬ 
leable]^]  we  could  obtain  a  scheme  that  does  not  satisfy 
Exp-EV-Int,  because  the  adversary  could  construct  a  valid 
ballot  out  of  a  revealed  ballot.  But  the  scheme  would 
continue  to  satisfy  Exp-IV-Int  and  Exp-UV-Int. 

8)  Sig  satisfies  all  three  properties. 

V.  Case  Study:  JCJ 

JCJ  (named  for  its  designers,  Juels,  Catalano,  and  Jakobs- 
son)  fZZLfZ-D  is  a  coercion-resistant  election  scheme,  mean¬ 
ing  voters  cannot  prove  whether  or  how  they  voted,  even  if 
they  can  interact  with  the  adversary  while  voting.  Coercion 
resistance  protects  elections  from  improper  influence  by  ad¬ 
versaries. 

To  achieve  verifiability  and  coercion  resistance,  JCJ  uses 
verifiable  mixnets,  which  anonymize  a  set  of  messages]34] 
During  tallying,  all  encrypted  choices  are  anonymized  by  a 
mixnet,  then  all  choices  are  decrypted.  The  tally  is  computed 
from  the  decrypted  choices.  Informally,  JCJ  works  as  follows: 

23  Given  a  message  m  and  signature  a ,  a  malleable  signature  scheme 
permits  computation  of  a  signature  a'  on  a  related  message  m'  (25 1.  The 
malleable  signature  scheme  Sig  used  in  line  7  of  Table  |Tj  would  need  to 
enable  an  adversary  to  transform  a  signature  on  a  well-formed  candidate  0 
into  a  signature  on  a  distinct,  well-formed  candidate  0' . 

24Chaum  1 26 1  introduced  mixnets.  Adida  1 11  surveys  verifiable  mixnets. 
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•  Setup.  The  tallier  generates  a  key  pair  [PKp1  SKp)  for 
an  encryption  scheme  and  publishes  the  public  key. 

•  Registration.  To  register  a  voter,  the  registrar  generates 
a  nonce,  which  is  sent  to  the  voter  and  serves  as  the 
private  credential.  The  public  credential  is  computed  as  an 
encryption  of  the  private  credential  with  PK 7-.  After  all 
voters  are  registered,  the  registrar  publishes  the  electoral 
roll. 

•  Voting.  A  voter  encrypts  her  candidate  choice  with  PK 7-. 
She  also  encrypts  her  private  credential  with  PK 7-.  She 
proves  in  zero-knowledge  that  she  simultaneously  knows 
both  plaintexts,  and  that  her  choice  is  well-formed.  The 
voter  posts  her  ballot  (i.e.,  both  ciphertexts  and  the  proof) 
on  the  bulletin  board. 

•  Tallying.  The  tallier  discards  any  ballots  from  the  bulletin 
board  for  which  the  zero-knowledge  proofs  do  not  verify. 
All  unauthorized  ballots  are  then  discarded  through  a 
combination  of  protocols  that  includes  verifiable  mixnets 
and  plaintext  equivalence  tests  (PETs)  ]74|.  (PETs  enable 
proof  that  two  ciphertexts  contain  the  same  plaintext 
without  revealing  that  plaintext.)  The  tallier  decrypts  and 
publishes  the  remaining  ballots,  along  with  a  proof  that 
decryption  was  performed  correctly. 

•  Verification.  A  verifier  checks  all  the  proofs  included  in 
ballots,  and  all  the  proofs  published  during  tallying. 

Appendix  |G] gives  a  formal  description  of  JCJ.  That  formal¬ 
ization  satisfies  individual  and  universal  verifiability,  assuming 
that  the  cryptographic  primitives  satisfy  certain  properties  that 
we  identify.  But  the  formalization  fails  to  satisfy  eligibility 
verifiability,  because  knowledge  of  the  tallier’s  private  key 
SK 7-  suffices  to  construct  ballots  that  appear  authentic:  with 
SKp,  any  public  credential  can  be  decrypted  to  discover  the 
corresponding  private  credential.  Note  that  Exp-EV-Int  permits 
an  adversary  A  to  choose  the  tallier’s  key  pair,  so  A  does 
know  SK 7-  hence  can  construct  a  ballot  that  suffices  to  win 
Exp-EV-Int. 

We  can  nonetheless  prove  that  JCJ  satisfies  a  variant  of 
eligibility  verifiability.  Consider  the  following  experiment, 
which  does  not  permit  the  adversary  to  choose  the  tallier’s 
key  pair: 

Exp-EV-lnt-Weak(II,  A,  k)  = 

r  (PK'j-,  SKp,  ms,  me)  <r- Setup(k)', 

2  ny  A-  A{PKp,  k)\ 

3  for  1  <  i  <  ny  do  ( pkt ,  ski)  <—  Register(PAV,  fc); 

4  Lf-  {pk1,...,pknv}-, 

5  Crpt  t—  0;  Rvld  t—  0; 

6  (nc,l3,i,b)  Ac,r(L); 

7  if  3r  :  b  =  Vote(sfc,;,  PKp,  nc ,  /3,  k;  r)  A  b  ^  1  A  b  £ 

Rvld  A  ski  Crpt  then 

8  |  return  1 

9  else 

10  |_  return  0 

Line  1  of  Exp-EV-Int  has  been  refactored  into  lines  1  and  2 
of  Exp-EV-Int-Weak.  In  line  1  of  Exp-EV-Int- Weak,  keys  are 
generated  by  the  experiment.  In  line  2,  A  is  given  the  public 


key  but  not  the  private  key. 

Using  Exp-EV-Int-Weak,  we  define  a  weaker  variant  of 
Ver-lnt  and  prove  that  JCJ  satisfies  it: 

Definition  11  (Ver-Int-Weak).  An  election  scheme  II  sat¬ 
isfies  weak  election  verifiability  with  internal  authentication 
(Ver-Int-Weak)  if  for  all  probabilistic  polynomial -time  adver¬ 
saries  A,  there  exists  a  negligible  function  p,  such  that  for  all 
security  parameters  k,  we  have  Succ(Exp-IV-lnt(II,  A,  k))  + 
Succ(Exp-UV-lnt(II,  A,  k))  +  Succ(Exp-EV-lnt-Weak(II,  A, 
k))  <  p{k). 

Theorem  5.  JCJ  satisfies  Ver-Int-Weak. 

Proof  sketch.  JCJ  satisfies  individual  verifiability,  because 
the  probabilistic  encryption  scheme  ensures  that  ballots  are 
unique,  with  overwhelming  probability.  JCJ  satisfies  universal 
verifiability,  because  the  proofs  produced  throughout  tallying 
can  be  publicly  verified.  And  JCJ  satisfies  eligibility  verifiabil¬ 
ity,  because  A  cannot  construct  new  ballots  without  knowing 
a  voter’s  private  credential  or  the  tallier’s  private  key.  □ 

A  formal  proof  of  Theorem  [5]  appears  in  Appendix  |H]  The 
proof  assumes  the  random  oracle  model. 

The  Civitas  [35]  scheme  refines  the  JCJ  scheme.  Some 
refinements  relevant  to  election  verifiability  are  an  implemen¬ 
tation  of  a  distributed  registration  protocol,  and  a  mixnet  based 
on  randomized  partial  checking  (RPC)  )75).  We  leave  a  proof 
that  Civitas  satisfies  Ver-Int-Weak  as  future  work.  In  that 
proof,  it  would  be  necessary  to  assume  the  RPC  construction 
satisfies  the  definition  of  mixnets  given  in  Appendix  |A| 
Work  by  Khazaei  and  Wikstrom  m  suggests  that  actually 
proving  satisfaction  is  unlikely  to  be  possible.  Alternatively, 
the  mixnet  could  be  replaced  by  one  based  on  zero-knowledge 
proofs  1 54).  [96]. 

VI.  New  classes  of  attack 

Our  definitions  of  election  verifiability  improve  upon  exist¬ 
ing  definitions  by  detecting  two  previously  unidentified  classes 
of  attack: 

•  Collusion  attacks.  An  election  scheme’s  tallying  and 
verification  algorithms  might  be  designed  such  that  they 
collude  to  accept  incorrect  tallies. 

•  Biasing  attacks.  An  election  scheme’s  verification  al¬ 
gorithm  might  be  designed  such  that  it  rejects  some 
legitimate  tallies. 

Although  a  well-designed  election  scheme  would  hopefully 
not  exhibit  these  vulnerabilities,  it  is  the  job  of  verifiability 
definitions  to  detect  malicious  schemes,  regardless  of  whether 
vulnerabilities  are  due  to  malice  or  errors.  So  definitions  of 
election  verifiability  should  preclude  collusion  and  biasing 
attacks. 

A.  Collusion  Attacks 

Here  are  two  examples  of  potential  collusion  attacks: 

•  Vote  stuffing.  Tally  behaves  normally,  but  adds  k  votes 
for  candidate  f3.  Verify  subtracts  k  votes  from  /3,  then 
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proceeds  with  verification  as  normal.  Elections  thus  verify 
as  normal,  except  that  candidate  /3  receives  extra  votes. 

•  Backdoor  tally  replacement.  Tally  and  Verify  behave 
normally,  unless  a  backdoor  value  is  posted  on  the 
bulletin  board  BB.  For  example,  if  {SK t,X*)  appears 
on  BB,  then  Tally  and  Verify  both  ignore  the  correct 
tally  and  instead  replace  it  with  tally  X*.  Value  SK 7-  is 
the  backdoor  here;  it  cannot  appear  on  BB  (except  with 
negligible  probability)  unless  the  tallier  is  malicious. 
Vote  stuffing  is  detected  by  our  definitions  of  Correctness 
(fjlljA  and  ] 1 V- A [> ,  because  these  definitions  require  that  the 
tally  produced  by  Tally  corresponds  to  the  choices  encapsu¬ 
lated  in  ballots  on  the  bulletin  board.  Note  that  vote  stuffing 
is  not  a  failure  of  eligibility  verifiability,  because  the  stuffed 
votes  do  not  correspond  to  any  ballots  on  the  bulletin  board. 
Backdoor  tally  replacement  is  detected  by  our  definitions 
of  universal  verifiability  f  1 1  -  B  2  and  ;]IV-B2|i,  because  those 
definitions  require  Verify  to  accept  only  those  tallies  that 
correspond  to  a  correct  tally  of  the  bulletin  board. 

We  show,  next,  that  the  definition  of  election  verifiability 
by  Juels  et  al.  (79)  fails  to  detect  vote  stuffing  and  backdoor 


tally  replacement,  and  that  the  definition  by  Cortier  et  al.  [38 1 
fails  to  detect  backdoor  tally  replacement. 

Juels  et  al.  fZD  formalize  definitions  that  we  name  JCJ- 
correctness  and  JCJ-verifiability.  JCJ-correctness  is  intuitively 
meant  to  capture  that  “A  cannot  pre-empt,  alter,  or  cancel  the 
votes  of  honest  voters  [and]  that  A  cannot  cause  voters  to  cast 
ballots  resulting  in  double  voting”  |79  p.  45];  it  is  formalized 
in  terms  of  whether  the  adversary  can  post  ballots  on  the 
bulletin  board  that  cause  the  tally  to  be  computed  incorrectly. 
JCJ-verifiability  is  intuitively  “the  ability  for  any  player  to 


check  whether  the  tally.  ..has  been  correctly  computed”  [79 


p.  46];  it  is  formalized  in  terms  of  whether  Verify  will  accept 
a  tally  that  differs  from  the  output  of  Tally.  We  restate  the 
formal  definitions  in  Appendix  [I] 

To  show  that  the  JCJ  definitions  fail  to  detect  collu¬ 
sion  attacks,  we  first  formalize  the  vote  stuffing  attack.  An 
election  scheme  II  =  (...,  Tally,  Verify)  can  be  modified 
to  derive  a  vote-stuffing  election  scheme  Stuff  (II,  (3,  n)  - 
(. . . ,  Tallys,  Verify^),  which  adds  n  votes  to  /3,  as  follows  p*] 

•  Tallys(...)  computes  (X,P)  ■£-  Ta  I  ly  (. . .)  and  outputs 
(Add(X,/3,*),P)0 

•  Verifys(. . . ,  X,  P, . . .)  computes  v  4—  Verify(. . . ,  Add( 
X,  /3,  —  n),  P, . . .)  and  outputs  v. 


Proposition  6.  Given  an  election  scheme  II  satisfying  JCJ- 
correctness  and  JCJ-verifiability,  and  integers  (3  and  k,  it 
holds  that  Stuff  (II,  /J,  n)  satisfies  JCJ-correctness  and  JCJ- 
verifiability. 

A  formal  proof  appears  in  Appendix  [7] 

Second,  we  formalize  the  backdoor  tally  replacement  attack. 
An  election  scheme  II  =  (. . . ,  Tally,  Verify)  can  be  modified 


25We  omit  many  of  the  parameters  of  Tally  and  Verify  here  for  simplicity; 
see  Appendix  |j|  for  details. 

26 Let  Add(X,/3,re)  =  (X[l], ....  X[/3  -  1] ,  X[/3]  +  k,X[/3  + 

1], . . . ,  X[|X|]).  And  let  |X|  denote  the  length  of  vector  X. 


to  derive  an  election  scheme  Backdoor(II)  =  (...,Tallys, 
Verify^),  as  follows; 

•  Tallys(. . . ,  SK 7-,  BB, . . .)  checks  whether  there  exists  a 
unique  X*  such  that  {SKp,  X*)  £  BB.  If  so,  Tallys 
outputs  (X*,_L).  Otherwise,  TallyB  computes  (X,  P)  4— 
Tally(. . . ,  SKj- ,  BB, . . .)  and  outputs  (X,  P). 

•  Verify  B{PKp, ...  ,BB, ...  ,X,P, .. .)  checks  whether 
there  exists  a  unique  X*  such  that  {SK-j-,X*)  £  PBp] 
If  so.  Verify^  outputs  1.  Otherwise,  Verify^  computes 
v  4—  Verify(PP-7-, . . . ,  BB, . . . ,  X,  P, . . .)  and  outputs  v. 


Proposition  7.  Given  an  election  scheme  II  satisfying  JCJ- 
correctness  and  JCJ-verifiability  that  does  not  leak  the  tal- 
lier’s  private  key,  it  holds  that  Backdoor(II)  satisfies  JCJ- 
correctness  and  JCJ-verifiability. 

A  formal  proof  appears  in  Appendix  [7]  where  we  also  formally 
define  key  leakage. 

Cortier  et  al.  |38|  propose  definitions  similar  to  JCJ- 
verifiability  and  insist  that  election  schemes  must  satisfy  their 
notions  of  correctness  and  partial  tallying.  Vote  stuffing  is 
detected  by  their  correctness  property,  but  backdoor  tally 
replacement  is  not.  The  ideas  remain  the  same,  so  we  omit 
formalized  results.  We  have  reported  these  findings  to  the 
original  authors  0,  (55),  (56). 


B.  Biasing  attacks 


Here  are  three  formalizations  of  biasing  attacks,  derived 
from  an  election  scheme  n  =  (. . . ,  Verify). 

•  Reject  All.  Let  Reject(n)  be  (. . . ,  Verify^.),  where 
Verify  always  outputs  0.  Verify  therefore  always  re¬ 
jects,  hence  no  election  can  ever  be  considered  valid. 

•  Selective  Reject.  Let  e  be  a  distinguished 
value  that  would  not  be  posted  on  the  bulletin 
board  by  honest  voters.  Let  Selective(n,  e)  be 
(. . . ,  Verify^),  where  Verify  yj(. . . ,  BB, . . .)  computes 
v  f—  Verify(. . . ,  BB, . . .)  and  outputs  1  if  both  v  =  1 
and  e  BB.  Otherwise,  Verify^  outputs  0.  Verify^ 
therefore  rejects  if  £  appears  on  the  bulletin  board,  hence 
some  elections  can  be  invalidated. 

•  Biased  Reject.  Suppose  Z  is  a  set  of  tallies.  Let 
Bias(n,  Z)  be  (. . . ,  Verify^),  where  Verify^. . . ,  X, . . .) 
computes  v  4—  Verify(. . . ,  X, . . .)  and  outputs  1  if  both 
v  =  1  and  X  £  Z.  Otherwise,  Verify  outputs  0.  Verify 
therefore  only  accepts  a  subset  of  the  tallies  accepted  by 
Verify,  hence  biases  tallies  toward  Z. 


These  formalizations  do  not  satisfy  our  definition  of  Complete¬ 
ness  ([II- A  and  jjlV-A  1,  hence,  our  definitions  of  verifiability 
detect  these  biasing  attacks. 

The  definition  of  verifiability  by  Juels  et  al.  (79)  fails  to 
detect  all  three  of  the  above  attacks,  because  that  definition 
has  no  notion  of  Completeness.  For  example,  it  is  vulnerable 
to  Biased  Reject  attacks: 


-Verify^  also  needs  to  check  that  SK 7-  is  the  private  key  corresponding 
to  PK 7-.  We  omit  formalizing  this  detail,  but  note  that  it  is  straightforward 
for  real-world  encryption  schemes  such  as  El  Gamal  and  RSA. 
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Proposition  8.  Given  an  election  scheme  II  satisfying  JCJ- 
correctness  and  JCJ -verifiability,  and  given  a  multiset  Z, 
it  holds  that  Bias(II,  Z)  satisfies  JCJ -correctness  and  JCJ- 
verifi  ability. 

A  formal  proof  appears  in  Appendix  [7] 

The  definition  of  verifiability  by  Kiayias  et  al.  (83)  fails 
to  detect  Selective  Reject  attacks,  because  (like  JCJ)  the 
definition  has  no  notion  of  Completeness.  Their  notion  of 
Correctness  does  rule  out  Reject  All  and  Biased  Reject  attacks. 


In  the  symbolic  model,  Smyth  et  al.  1 109 1  define  the  first 


definitions  are  not  intended  to  provide  assurances  if  the 
election  authorities  are  dishonest.  For  example,  the  definition 
of  Kremer  and  Ryan  does  not  detect  whether  corrupt  election 
authorities  insert  votes  [84  §5.2].  Likewise,  the  definition  of 


Similarly,  the  definition  of  verifiability  by  Cortier  et  al.  [38  [ 
detects  Biased  Reject  and  Reject  All  attacks,  but  fails  to  detect 
Selective  Reject  attacks,  because  that  definition’s  notion  of 
Completeness  does  not  quantify  over  all  bulletin  boards. 

VII.  Related  Work 

Kiayias  {82)  presents  an  overview  of  security  properties 
for  election  schemes.  Many  election  schemes  in  the  literature 
state  properties  called  correctness,  accuracy,  or  (universal) 
verifiability  without  formally  defining  those  terms. 

In  the  computational  model,  Juels  et  al.  (77j-(79j  and 
Cortier  et  al.  (38)  give  game-based  definitions  of  verifiability. 
Those  definitions  fail  to  detect  biasing  and  collusion  attacks 


(cf.  §  VI  i.  Definitions  of  universal  verifiability  (which  is  just 
one  aspect  of  election  verifiability)  in  the  computational  model 
seem  to  originate  with  Benaloh  and  Tuinstra  (l5j,  who  define 
a  correctness  property  that  says  every  participant  is  convinced 
that  the  tally  is  accurate  with  respect  to  the  votes  cast,  and 
with  Cohen  and  Fischer  (36),  who  define  verifiability  to  mean 
that  there  exists  a  check  function  that  returns  good  iff  the 
announced  tally  of  the  election  corresponds  to  the  cast  votes. 

Kiayias  et  al.  (83]|  define  a  property  they  name  E2E  verifia¬ 
bility  (E2E  abbreviates  “end-to-end”).  This  property  combines 
our  intuitive  notions  of  individual  and  universal  verifiability 
into  a  single  definition.  Their  definition  fails  to  detect  Selective 
Reject  attacks  (cf.  §  VI  i.  Their  definitions,  like  ours,  do 


Backes  et  al.  assumes  that  election  authorities  are  honest  (7], 
§3]. 

Our  definition  of  election  verifiability  follows  Smyth  et 
al.  {85),  (106),  (109)  by  deconstructing  it  into  individual, 
universal,  and  eligibility  verifiability.  Other  deconstructions  of 
election  verifiability  are  possible.  For  example,  Adida  and  Neff 
(6]  §2]  identify  four  aspects  of  verifiability: 

•  Cast  as  intended:  the  ballot  is  cast  at  the  polling  station 
as  the  voter  intended. 

•  Recorded  as  cast:  cast  ballots  are  preserved  with  integrity 
through  the  ballot  collection  process. 

•  Counted  as  recorded:  recorded  ballots  are  counted  cor¬ 
rectly. 

•  Eligible  voter  verification:  only  eligible  voters  can  cast  a 
ballot  in  the  first  place. 

Those  definitions  are  not  mathematical,  so  we  cannot  attempt 
a  precise  comparison.  Nonetheless,  eligibility  verifiability  and 
eligible  voter  verification  seem  to  be  addressing  similar  con¬ 
cerns.  Likewise,  individual  and  universal  verifiability  together 
seem  to  be  addressing  concerns  similar  to  that  of  recorded 
as  cast  and  counted  as  recorded  together.  Recorded  as  cast,  in 
our  work,  reduces  to  the  bulletin  board  preserving  ballots  with 
integrity — a  property  that  we  have  assumed,  because  crypto¬ 
graphic  election  schemes  assume  it,  too.  Ways  to  construct 
secure  bulletin  boards  have  been  proposed,  e.g.,  gg,  (67), 
(TOT),  (103|.  We  postpone  a  discussion  of  cast  as  intended  to 
Section  IVIIII 

Privacy  properties  [48 1,  (79),  (91),  (92),  (T07),  (108)  — such 
as  ballot  secrecy,  receipt  freeness,  and  coercion  resistance — 
complement  verifiability.  Chevallier-Mames  et  al.  (32),  1 33 1 


not  address  voter  intent — that  is,  verification  by  humans  that 
ballots  correctly  encode  candidate  choices — as  we  discuss  in 
Section  [ym] 

Also  in  the  computational  model,  Groth  |63|,  and  Moran 
and  Naor  (95),  state  definitions  of  verifiability  in  terms  of 
universal  composability  [23).  These  definitions  involve  defin¬ 
ing  an  ideal  functionality,  part  of  that  is  similar  to  our 
correct-tally  function.  Groth’s  definition  does  not  guaran¬ 
tee  universal  verifiability  [63]  p.  2],  but  Moran  and  Naor’s 
does  (95  p.  386]. 


and  Hosp  and  Vora  (70),  0  show  an  incompatibility  result: 
election  schemes  cannot  unconditionally  satisfy  privacy  and 
universal  verifiability.  But  weaker  versions  of  these  properties 
can  hold  simultaneously,  as  can  be  witnessed  from  Theorems [2] 
and  [g  coupled  with  existing  privacy  results  such  as  the 
ballot  secrecy  proofs  for  Helios  4.0  [20 


Theorem  3], 


18 


Theorem  6.12],  and  the  coercion  resistance  proof  for  JCJ  1 79 
§5]. 

Comparison  with  global  verifiability:  Kiisters  et  al. 


definition  of  election  verifiability.  This  definition  is  amenable 
to  automated  reasoning,  but  is  stronger  than  necessary  and 
cannot  be  satisfied  by  many  election  schemes,  including  Helios 
and  Civitas.  Kremer  et  al.  (85)  overcome  this  limitation  with 
a  weaker  definition  that  sacrifices  amenability  to  automated 
reasoning,  and  Smyth  1 106  §3]  extends  this  definition.  Dreier 


et  al.  have  adapted  election  verifiability  to  auction  m  and 
examination  (49)  systems. 

Also  in  the  symbolic  model,  Kremer  and  Ryan  (84)  and 
Backes  et  al.  0  formalize  definitions  of  eligibility.  These 


1 91 1,  (93)  present  a  definition  of  global  verifiability  that  can 
be  used  with  any  kind  of  protocol,  not  just  electronic  voting 
protocols.  To  analyze  the  verifiability  of  a  protocol,  users  of 
this  definition  must  themselves  formalize  goals,  which  are 
properties  required  to  hold  in  every  run  of  the  protocol.  For 
example,  a  goal  77  is  presented  in  a  case  study  [91]  §5.2]  of 
global  verifiability  applied  to  voting: 

77  contains  all  runs  for  which  there  exist  choices 
of  the  dishonest  voters  (where  a  choice  is  either  to 
abstain  or  to  vote  for  one  of  the  candidates)  such  that 
the  result  obtained  together  with  the  choices  made  by 
the  honest  voters  in  this  run  differs  only  by  £  votes 


11 


from  the  published  result  (i.e.  the  result  that  can  be 
computed  from  the  simple  ballots  on  the  bulletin 
board). 


Another  goal  7  is  presented  in  a  case  study  1 93 
Helios: 


§6.2]  of 


7  is  satisfied  in  a  run  if  the  published  result  exactly 
reflects  the  actual  votes  of  the  honest  voters  in  this 
run  and  votes  of  dishonest  voters  are  distributed  in 
some  way  on  the  candidates,  possibly  in  a  different 
way  than  how  the  dishonest  voters  actually  voted. 


These  informal  statements  of  goals  are  appealing,  but  they 
do  not  constitute  rigorous  mathematical  definitions.  As  Kiayias 
et  al.  write,  “[global  verifiability]  has  the  disadvantage  that  the 
set  7  remains  undetermined  and  thus  the  level  of  verifiability 
that  is  offered  by  the  definition  hinges  on  the  proper  definition 
of  7  which  may  not  be  simple”  (83]  p.  476].  In  our  own 
work,  we  found  that  formal  definitions  were  quite  tricky  to  get 
right — for  example,  which  ballots  should  be  counted,  how  to 
count  them,  and  how  to  determine  whether  that  count  differed 
from  the  published  tally.  So  we  shared  (87)  and  discussed  [|88| 
our  results  with  Kiisters.  In  response,  Kiisters  et  al.  updated  an 


online  technical  report  to  propose  a  formalization  of  goals  1 86 


§5.2];  we  look  forward  to  analyzing  that  formalization  when 
it  is  published. 

In  an  analysis  of  Helios,  Kiisters  et  al.  [93 1  use  goal 
7  to  conclude  that  Helios  2.0  satisfies  global  verifiability. 
Yet  Bernhard  et  al.  1 20 1  demonstrate  an  attack  against  the 
verifiability  of  Helios  2.0,  and  in  Appendix  |E]  we  show  that 
Helios  2.0  does  not  satisfy  Ver-Ext.  This  seeming  discrepancy 
arises  because  the  analysis  in  (93)  does  not  formalize  all 
the  cryptographic  primitives  used  by  Helios,  hence  the  attack 
goes  unnoticed.  So  another  contribution  of  our  own  work  is 
to  correctly  distinguish  between  unverifiable  and  verifiable 
variants  of  Helios  by  rigorously  analyzing  the  cryptography 
used  in  Helios. 

It  is  natural  to  ask  whether  election  verifiability  can  be 
expressed  in  terms  of  global  verifiability.  We  believe  it  can  be. 
For  instance,  individual,  universal  and  eligibility  verifiability 
could  be  expressed,  in  the  informal  style  of  the  goals  quoted 
above,  as  the  following  goals: 


•  7/v  is  satisfied  in  a  run  if  voters  can  uniquely  identify 
their  ballots  on  the  bulletin  board  in  this  run. 

•  7 uv  is  satisfied  in  a  run  if  the  correct  tally  of  votes  cast 
by  authorized  voters  in  this  run  is  the  same  as  the  tally 
produced  by  algorithm  Tally. 

•  'Yev  is  satisfied  in  a  run  if  every  ballot  tallied  in  this 
run  was  created  by  a  voter  in  possession  of  a  private 
credential. 


Kiisters  et  al.  (ED  argue  that  deconstructing  verifiability 
into  individual  and  universal  verifiability  is  insufficient  to 
detect  certain  attacks  involving  ill-formed  ballots.  But  those 
attacks  leave  open  the  possibility  that  there  do  exist  notions  of 
individual  and  universal  verifiability  that  would  be  sufficient. 
Indeed,  our  own  definition  of  universal  verifiability  rules  out 
attacks  based  on  ill-formed  ballots,  because  correct-tally 


ensures  that  tallied  ballots  are  well-formed. 

One  concern  that  might  be  raised  is  whether  there  still 
lurk  any  “gaps”  in  our  decomposition  into  individual  and 
universal  (and  eligibility)  verifiability.  Indeed,  there  might  be. 
But  the  definition  of  global  verifiability  does  not  rule  out  the 
possibility  of  gaps,  either:  any  gap  in  the  formal  statement  of  a 
goal  will  lead  to  a  vulnerability.  That  is,  if  the  analyst  forgets  to 
include  some  necessary  facet  of  verifiability  when  stating  the 
formal  goal,  then  global  verifiability  will  not  detect  any  attacks 
against  that  facet.  Global  verifiability  does  not  guarantee  a  lack 
of  gaps. 


VIII.  Concluding  Remarks 


When  we  began  this  work,  we  were  studying  the  Juels  et 
al.  (79)  definition  of  election  verifiability.  We  discovered  that 
the  definition  fails  to  detect  biasing  and  collusion  attacks. 
While  attempting  to  improve  the  Juels  et  al.  definition  to 
rule  out  those  attacks,  we  discovered  that  factoring  it  into 
individual,  universal,  and  eligibility  verifiability  led  to  an 
elegant  decomposition  of  (mostly)  orthogonal  properties.  We 
later  sought  to  apply  our  new  definitions  to  existing  electronic 
voting  systems,  and  Helios  |5|  and  Civitas  [  35)  were  natural 
choices.  But  they  treat  authentication  differently — Helios  out¬ 
sources  authentication,  whereas  Civitas  does  not — so  we  were 
led  to  separate  our  definitions  into  variants  for  external  and 
internal  authentication.  We  were  at  first  surprised  to  discover 
that  JCJ,  hence  Civitas,  does  not  satisfy  the  strong  definition  of 
eligibility  verifiability.  But  upon  reflection,  it  became  apparent 
that  an  adversary  who  knows  the  tallier’s  private  key  can  easily 
forge  ballots  that  appear  to  be  from  eligible  voters. 

Our  definitions  of  verifiability  have  not  addressed  the  issue 
of  voter  intent — that  is,  verification  by  a  human  that  the  ballot 
submitted  by  a  voter  corresponds  to  the  candidate  choice  the 
voter  intended  to  make.  Adida  and  Neff  call  this  property 
“cast  as  intended”  (6).  Many  election  schemes  (e.g.,  (53), 
169),  79 1,  (83) )  do  not  satisfy  cast  as  intended,  because  the 
schemes  implicitly  or  explicitly  assume  that  voters  can  them¬ 
selves  verify  the  cryptographic  operations  required  to  construct 
ballots.  Nevertheless,  schemes  by  Chaum  (27),  Neff  (97),  and 
Benaloh  (13),  (14)  introduce  cryptographic  mechanisms  to 
verify  voter  intent.  It  would  be  natural  to  explore  strengthening 
our  definitions  to  address  voter  intent. 

The  goal  of  this  research  is  to  enable  verifiability  of  the 
voting  systems  we  use  in  real-life,  rather  than  merely  trusting 
them.  Research  on  verifiability  can  generalize  beyond  voting 
to  other  systems  that  must  guarantee  strong  forms  of  integrity. 
Verifiable  voting  systems  thus  have  the  potential  to  contribute 
to  the  science  of  security,  to  democracy,  and  to  broader  society. 


Acknowledgments 

We  thank  David  Bernhard,  Jeremy  Clark,  Veronique 
Cortier,  David  Galindo,  Markus  Jakobsson,  Steve  Rremer,  Ralf 
Kiisters,  Elizabeth  Quaglia,  Mark  Ryan,  Susan  Thomson,  and 
Poorvi  Vora  for  insightful  discussions  that  have  influenced  this 
paper.  This  work  is  partly  supported  by  the  European  Research 
Council  under  the  European  Union’s  Seventh  Framework 


12 


Programme  (FP7/2007-2013)  /  ERC  project  CRYSP  (259639), 
by  AFOSR  grants  FA9550-12-1-0334  and  FA9550-14-1-0334, 
by  NSF  grant  1421373,  and  by  the  National  Security  Agency. 
This  work  was  performed  in  part  at  George  Washington 
University  and  INRIA. 

Dedication^ 

Ben  Smyth  dedicates  his  contribution  to  the  loving  memory 
of  Anne  Konishi,  1971  -  2015.  What  matters  most  of  all  is 
the  dash.  We  had  a  great  time. 

He  writes  for  Christina  Mai  Konishi.  Smile  like  your 
mother,  for  good  fortune  seeks  those  who  smile  ( warau  kado 
niwa  fuku  kitaru,  says  the  Japanese  proverb). 


Appendix  A 

Cryptographic  primitives 


A.  Basic  definitions 

Definition  12  (Negligible  function  J59|).  A  function  p  :  N  -A 
R  is  negligible  if  for  every  positive  polynomial  pf),  there  exists 
an  N,  such  that  for  all  n  >  N, 

Kn)  <  “Tv 
p(n) 


An  event  E(k ),  where  k  is  a  security  parameter,  occurs  with 
negligible  probability  if  Pr[i?(fc)]  <  p(k)  for  some  negligible 
function  p.  The  event  occurs  with  overwhelming  probability  if 
the  complement  of  the  event  occurs  with  negligible  probability. 


Definition  13  (Asymmetric  encryption  scheme  1 80 1).  An 
asymmetric  encryption  scheme  is  a  tuple  of  PPT  algorithms 
(Gen,  Enc,  Dec)  such  that: 

•  Gen,  denoted  (pk,sk,m)  ■£-  Gen(lfc),  takes  a  security 
parameter  lk  as  input  and  outputs  a  key  pair  ( pk ,  sk) 
and  message  space  m. 

•  Enc,  denoted  c  4—  En c(pk,  m ),  takes  a  public  key  pk  and 
message  m  £  m  as  input ,  and  outputs  a  ciphertext  c. 

•  Dec,  denoted  m  £-  D ec(pk,  sk,  c),  takes  a  public  key  pk, 
a  private  key  sk,  and  ciphertext  c  as  input,  and  outputs 
a  message  m  or  error  symbol  _L.  We  assume  Dec  is 
deterministic. 


assume  the  parameters  are  encoded  in  private  keys,  it  suffices 
to  pass  the  public  key  into  the  decryption  algorithm. 

Definition  14  (Homomorphic  encryption  |[80|).  An  asymmetric 
encryption  scheme  F  =  (Gen,  Enc,  Dec)  is  homomorphic  if  for 
all  k,  pk,  sk  and  m,  such  that  (pk,sk,  m  )  <—  Gen(lfc),  there 
exist  binary  operators  0,  0  and  0,  and  sets  c  and  r,  such  that 
(m,  ©),  (r,  0)  and  (c,0)  are  groups  and 

•  For  all  to  and  c,  such  that  to  €  m  and  c  4—  Enc  (pk,  to), 
it  holds  that  c£c. 

•  For  all  mi,  m2  £  m  and  ci,c2  £  c,  such  that  Dec  {pk,  sk, 
Ci)  =  toi  and  Dec(pk,  sk,  c2)  =  m 2,  there  exists  a 
negligible  function  p,  such  that  Pr[Dec(pfc,  sk,  C10C2)  = 
toi  ©  m2]  >  1  —  p{k). 

•  For  all  toi,TO2  £  m  and  r i,r2  £  r,  there  exists  a 
negligible  function  p,  such  that  Pr[Enc(pfc, toi; ri)  © 
Enc(p&,TO2;r2)  =  Enc(pfc,TOi  0  m2;r  1  0  r2)]  >  1  — 
p{k). 


The  scheme  F  is  additively  homomorphic  if  0  is  the  addition 
operator  in  m;  or,  multiplicatively  homomorphic  if  ©  is  the 
multiplication  operator  in  m. 


Our  definition  of  homomorphic  encryption  strengthens  Katz 
and  Lindell’s  definition  [80  Definition  11.35]  by  adding  the 
third  bullet  point,  which  requires  the  homomorphism  to  extend 
to  random  coins.  That  extension  is  needed  in  Helios  as  part  of 
the  Vote  algorithm,  to  enable  proofs  of  plaintext  knowledge 
on  homomorphic  combinations  of  ciphertexts. 


Indistinguishability  under  chosen-plaintext  attack 
(IND-CPA)  |8),  pQl,  fTT),  |60),  j6ll  is  a  standard  definition  of 
security  for  encryption  schemes.  Intuitively,  if  an  encryption 
scheme  satisfies  IND-CPA,  then  an  adversary  without  access 
to  a  decryption  oracle  is  unable  to  distinguish  ciphertexts. 
A  variant  (IND-j-CPA)  allows  the  adversary  j  adaptive 
queries  to  a  decryption  oracle,  where  each  query  is  a  parallel 
decryption  query — i.e.,  it  requests  the  decryption  of  a  vector 
of  ciphertexts.  Hence,  IND-O-CPA  is  equivalent  to  IND-CPA. 


Moreover,  the  scheme  must  be  correct:  there  exists  a  neg¬ 
ligible  function  p,  such  that  for  all  security  parameters  k 
and  messages  to,  we  have  Pr[(pfc,  sfc,  m)  ■£-  Gen(lfc);c  £- 
Enc  (pk,  m)  :  to  £  m  =>  Dec  (pk,  sk,  c)  =  to]  >  1  —  p{k). 

Our  definition  of  asymmetric  encryption  schemes  differs  from 
Katz  and  Lindell’s  definition  |80]  Definition  10.1]  in  that  we 
formally  state  the  plaintext  space,  and  we  provide  the  public 
key  as  input  to  Dec.  The  latter  is  a  technical  convenience  that 
we  use  to  handle  parameters  needed  for  encryption  schemes. 
For  example,  El  Gamal  is  defined  in  terms  of  a  cyclic  group, 
and  a  description  of  the  group  parameters  is  needed  to  compute 
encryptions  and  decryptions.  We  assume  those  parameters  are 
encoded  as  part  of  the  public  key.  Although  we  could  also 

28The  dedication  references  Linda  Ellis  (1996)  The  Dash. 


Definition  15  (IND-j-CPA  |21|).  An  asymmetric  encryption 
scheme  T  =  (Gen,  Enc,  Dec)  satisfies  IND-j-CPA  if  for  all 
stateful  PPT  adversaries  A,  there  exists  a  negligible  func¬ 
tion  p,  such  that  for  all  security  parameters  k,  we  have 
Succ(Exp-CPA(j,  F,  A,  k))  <  |  +  p{k),  where  j  is  a  non- 
negative  integer  and  the  experiment  Exp-CPA  is  defined  as 
follow^ 

Exp-CPA(j,  T,„4,  k)  = 


29Let  x  n  S  denote  assignment  to  x  of  an  element  chosen  uniformly  at 
random  from  set  S. 
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the  adversary  requested  a  signature  on  m  by  updating  Msg 
to  be  Msg  U  {m},  and  outputs  o. 


1  (pk,  sk,  m)  4—  Gen(lfe); 

2  (mo,  mi)  -A-  A(pk,  m); 

3  b  <r- r  {0, 1}; 

4  c  i —  Enc (pk,  mb)', 
s  ft'f-  A°(c); 

6  if  b  =  b'  A  mo,  mi  £  m  A  |?7Z0 1  =  |m!  then 

7  |  return  1 

8  else 

9  |_  return  0 

where  A  has  access  to  a  decryption  oracle  O,  which  is  defined 
as  follow^\ 

0(c)  = 

1  if  j  >  OA  Ai<i<|c|c  yf  c  [i]  then 

2  j  <—  j  —  1; 

3  return  (Dec(pk,  sk,  c[l]), . . . ,  Dec(pk,  sk,  c[|c|])) 

4  else 

s  |_  return  _L 

Definition  16  (Signature  scheme  [ 80 1).  A  signature  scheme  is 
a  tuple  (Gen,  Sign,  Ver)  of  PPT  algorithms  such  that: 

•  Gen,  denoted  ( pk,sk )  4—  Gen(lfe),  takes  a  security 
parameter  lk  as  input  and  outputs  a  key  pair  (pk,  sk). 

•  Sign,  denoted  a  A-  Sign (sk,m),  takes  a  private  key  sk 
and  message  m  as  input,  and  outputs  a  signature  a. 

•  Verify,  denoted  v  A-  \/er(pk,m,  a),  takes  a  public  key 
pk,  message  m,  and  signature  a  as  input,  and  outputs  a 
bit  v,  which  is  1  if  the  signature  successfully  verifies  and 
0  otherwise.  We  assume  Ver  is  deterministic. 

Moreover,  the  scheme  must  be  correct:  there  exists  a  neg¬ 
ligible  function  p,  such  that  for  all  security  parameters  k 
and  messages  m,  we  have  Pr \(pk,sk)  A-  Gen(lfe);  cr  a- 
Sign(s/c,  m);  Ver  (pk,  m,  a)  =  1]  >  1  —  p(k). 

Definition  17  (EU-CMA  |80|).  A  signature  scheme  V  = 
(Gen,  Sign,  Ver)  satisfies  existential  unforgeablility  under 
adaptive  chosen-message  attack  (EU-CMA)  if  for  all  PPT 
adversaries  A,  there  exists  a  negligible  function  p,  such  that 
for  all  security  parameters  k,  we  have  Succ(Exp-Sign(E, 
A,  k))  <  p(k),  where  experiment  Exp-Sign  is  defined  as 
follows: 

Exp-Sign(P,„4,  k)  = 

t  (pk,  sk)  4—  Gen(lfc); 

2  Msg  4—  0; 

3  (m,a)  4—  A°(pk,  lfc); 

4  if  \Jet(pk,  m,  a)  =  1  A  m  Msg  then 
s  |  return  1 

6  else 

7  |_  return  0 

The  experiment  defines  an  oracle  O.  On  invocation  O(m), 
oracle  O  computes  a  signature  cr  Sign(sfc,m),  records  that 


B.  Proof  systems 


A  proof  system  (originally  known  as  an  interactive  proof 
system  |62j)  is  a  two-party  protocol  between  a  prover  and  a 
verifier.  The  prover  convinces  the  verifier  that  a  string  x  is  in 
a  language  L.  Here,  we  assume  that  there  is  a  witness  relation 
R,  such  that  s  £  L  iff  there  exists  a  witness  w,  such  that 
(s,w)  £  R.  For  any  (s,w)  £  R,  it  must  also  hold  that  the 
length  of  w  is  at  most  polynomial  in  the  length  of  s.  Proof 
systems  ensure  that  a  prover  can  convince  a  verifier  of  any 
valid  claim  ( completeness ),  and  that  a  verifier  cannot  be  fooled 
into  accepting  a  false  claim  ( soundness ). 

A  sigma  protocol  1 46 1, 


is  a  proof  system  with  a 
particular  three-move  structure:  commit,  challenge,  respond. 


Definition  18  (Sigma  protocol).  A  sigma  protocol  for  a 
relation  R  is  a  tuple  (Comm,  Chal,  Resp,  Verify)  of  PPT 
algorithms  such  that: 

•  Comm,  denoted  (comm,t)  £-  Comm(s,w),  is  executed 
by  a  prover.  Comm  takes  a  statement  s  and  witness  w  as 
input,  and  outputs  a  commitment  comm  and  some  state 
information  t. 

•  Chal,  denoted  chal  £-  Chal(fc),  is  executed  by  a  verifier. 
Chal  takes  a  security  parameter  k  and  outputs  a  k-bit 
string  chal  sampled  uniformly  at  random. 

•  Resp,  denoted  resp  Resp(chal,  t),  is  executed  by  a 
prover.  Resp  takes  a  challenge  chal  and  state  information 
t  as  input,  and  outputs  a  response  resp. 

«  Verify,  denoted  v  Verify(s,  (comm,  chal,  resp))  is 
executed  by  a  verifier.  Verify  takes  a  statement  s  and 
transcript  (comm,  chal,  resp)  as  input,  and  outputs  a  bit 
v,  which  is  1  if  the  transcript  successfully  verifies  and  0 
otherwise.  We  assume  Verify  is  deterministic. 

Moreover,  the  sigma  protocol  must  be  complete:  there  exists 
a  negligible  function  p,  such  that  for  all  security  parame¬ 
ters  k  and  statements  and  witnesses  ( s ,  w)  £  R,  we  have 
Pr[(comm,t)  4—  Comm(s,  w);  chal  4—  r  {0,  l}fc ;  resp  ■<— 
Resp(chal,  t)  :  Verify(s,  (comm,  chal,  resp))  =  1]  >  1  —  p(k). 

Some  sigma  protocols  ensure  special  soundness  and  special 
honest-verifier  zero  knowledge.  We  will  make  use  of  a  result 
by  Bernhard  et  al.  that  requires  these  properties,  but  we  will 
not  need  the  details  of  those  definitions  in  our  proofs,  so  we 
omit  them  here;  see  Bernhard  et  al.  [[20)  for  a  formalization. 

Definition  19.  Let  (Gen,  Enc,  Dec)  be  a  homomorphic  asym¬ 
metric  encryption  scheme  and  E  be  a  sigma  protocol  for  a 
relation  R. 

•  E  proves  correct  key  construction  if 


((1  k,pk,  m),  (sk,  r))  £  R<=>  (pk,  sk,  m)  =  Gen(lfe;  r) 


,0The  oracle  in  experiment  Exp-CPA  may  access  parameter  j.  Henceforth, 
we  continue  to  allow  oracles  to  access  experiment  parameters  without  explic¬ 
itly  mentioning  them. 


Further,  suppose  that  (pk,sk,  m)  is  the  output  o/Gen(lfe;r), 
for  some  coins  r. 
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•  E  proves  plaintext  knowledge  in  a  subspace  if 

{(pk,c,  m'),  (: m,r ))  £  R 

4=>  c  =  En c(pk,  m;  r)  A  to  £  m'  A  m'  C  m. 

•  E  proves  conjunctive  plaintext  knowledge  if 

({pk,ci,...,Ck),(mi,ri,...,mk,rk))  £  R 

4=>  /\  °i  =  Enc(pfc,  mj;  rf)  A  m*  £  m. 

i<i<fc 

•  E  proves  correct  reencryption  if 

(( pk,c,c),(i,r ))  £  i? 

4=>  c  =  c[z]  <g>  Enc(pfc,  e;  r)  A  1  <  z  <  |c| 

where  c  is  a  vector  of  ciphertexts  encrypted  under  pk,  and 
where  c  is  an  identity  element  of  the  encryption  scheme ’s 
message  space  with  respect  to  ©. 

•  E  is  a  plaintext  equivalence  test  (PET)  if 

((pk,  c,  c' ,  z),  sk)  £  R 

4=>  ((z  =  0  A  Dec(pfc,  sfc,  c)  7^  Dec(pA;,  sfc,  c')) 

V  (z  =  1  A  Dec(pk,  sk,  c)  =  D ec(pk,  sk,  c'))) 

A  Dec  (pk,  sk,  c)  7^  J_  A  Dec(pfc,  sk,  c')  7^  J_. 

•  E  is  a  mixnet  if 

((pk,  c,c'),(r,x))  £  # 

c' [*(*)]  =  c[z]  ©  Enc (pk,  c;  r[z]) 

1^|c|  A  |c|  =  |c'|  =  | r | 

where  c  and  c'  are  both  vectors  of  ciphertexts  encrypted 
under  pk,  and  \  is  a  permutation  on  {1, . . . ,  |c|},  and  e 
is  an  identity  element  of  the  encryption  scheme’s  message 
space  with  respect  to  ©. 

•  E  proves  correct  decryption  if 

((pk,  c,  to),  sk)  £  R  to  =  Dec(pfc,  sk,  c). 

C.  Non-interactive  proof  systems 

A  proof  system  is  non-interactive  if  a  single  message  is  sent 
from  the  prover  to  the  verifier. 

Definition  20  (Non-interactive  proof  system).  A  non-interac- 
tive  proof  system  for  a  relation  R  is  a  tuple  of  algorithms 
(Prove,  Verify)  such  that: 

•  Prove,  denoted  cr  ■£-  Prove(s,  w),  is  executed  by  a  prover 
to  prove  (s,  w)  £  R. 

•  Verify,  denoted  v  ■£-  Verify(s,  a),  is  executed  by  anyone 
to  check  the  validity  of  a  proof  We  assume  Verify  is 
deterministic. 

Moreover,  the  system  must  be  complete:  there  exists  a  neg¬ 
ligible  function  p,  such  that  for  all  statement  and  witnesses 
(s,w)  £  R,  we  have  Pr[tr  ■£-  Prove(s,w)  :  Verify(s,cr)  = 
1]  >  1  —  /z(|s|),  where  |s|  denotes  the  length  of  s.  There 
are  various  soundness  definitions  that  can  be  considered  for 


non-interactive  proof  systems.  We  will  use  simulation-sound 
extractability,  defined  below. 

We  can  derive  non-interactive  proof  systems  from  sigma 
protocols  using  the  Fiat-Shamir  transformation  [[52],  which 
replaces  the  verifier’s  challenge  with  a  hash  of  the  prover’s 
commitment,  concatenated  with  the  prover’s  statement. 

Definition  21  (Fiat-Shamir  transformation  [j52j).  Given  a 
sigma  protocol  E  =  (Comm,  Chal,  Resp,  Verifys)  for  relation 
R  and  a  hash  function  TL,  the  Fiat-Shamir  transformation, 
denoted  FS(E,"H),  is  the  tuple  (Prove,  Verify)  of  PPT  algo¬ 
rithms,  defined  as  follows: 

Pro  ve(s,w)  = 

1  (comm,t)  t-  Comm(s,w); 

2  chal  4—  H(comm,  s); 

3  resp  ■£-  Resp(chal,  t); 

4  return  (comm,  resp) 

Verify(s,  (comm,  resp))  = 

1  chal  4—  H(comm,  s); 

2  return  Verifys(s,  (comm,  chal,  resp)) 

It  is  straightforward  to  check  that  FS  produces  non-interactive 
proof  systems. 

Some  non-interactive  proof  systems  ensure  zero  knowledge : 
anything  a  verifier  can  derive  about  a  witness  can  be  derived 
without  interaction  with  a  prover — that  is,  the  prover  can  be 
simulated.  We  define  zero  knowledge  in  the  random  oracle 
model  [9|.  A  random  oracle  can  be  programmed  or  patched. 

We  will  not  need  the  details  of  how  patching  works  in  our 
proofs,  so  we  omit  them  here;  see  Bernhard  et  al.  [20)  for  a 
formalization. 

Definition  22  (Zero  knowledge).  Suppose  that  E  is  a  sigma 
protocol  for  relation  R,  that  PL  is  a  random  oracle,  and  that 
(Prove,  Verify)  is  a  non-interactive  proof  system.  Proof  system 
(Prove,  Verify)  satisfies  zero  knowledge  if  there  exists  a  PPT 
algorithm  S  and  a  negligible  function  p,  such  that  for  all  PPT 
adversaries  A  and  all  statements  and  witnesses  ( x ,  y)  £  R, 
we  have 

Pi[b^An’Vl()  :  b=  1]  -  Pr[b^  An’V2()  :  b  =  1}  <  p(\x\) 

where  oracles  V\  and  V2  are  defined  on  inputs  s  and  w 
as  follows:  if  (s,w)  R,  then  both  V\  and  V2  output  _L, 
otherwise,  V\  computes  a  4—  Prove(s,w)  and  outputs  a,  and 
V2  computes  t  4—  S(s)  and  outputs  r.  Moreover,  algorithm  S 
can  patch  random  oracle  PL.  The  algorithm  S  for  which  the 
above  definition  holds  is  called  a  simulator  for  (Prove,  Verify). 

Some  zero  knowledge  non-interactive  proof  systems  en¬ 
sure  simulation  sound  extractability :  an  extractor  can  recover 
witnesses  from  proofs  by  rewinding  the  prover,  as  discussed 
below.  We  use  extractors  in  our  proofs  of  theorems,  below,  to 
obtain  witnesses  from  proofs. 

Definition  23  (Simulation  sound  extractability  (20),  @). 
Suppose  that  E  is  a  sigma  protocol  for  relation  R,  that  PL  is 


15 


a  random  oracle,  and  that  (Prove,  Verify)  is  a  non-interactive 
proof,  system  such  that  FS(E,P)  =  (Prove,  Verify).  Further 
suppose  S  is  a  simulator  for  (Prove,  Verify)  and  FI  can  be 
patched  by  S.  Proof  system  (Prove,  Verify)  satisfies  simulation 
sound  extractability  if  there  exists  a  PPT  algorithm  K,  and  a 
negligible  function  p,  such  that  for  all  adversaries  A,  coins 
r,  and  statements  and  witnesses  ( x,w )  g  R,  we  /icn’rp] 


Exp-IV-Ext7(II,4,fc)  = 

1  (PKr,nc,fi,b)  g-  A(k)\ 

2  b'  g-  \Iote(PKp,  nc,  (3,  k); 

3  if  b  =  b'  A  b'  yf  _L  then 

4  |  return  1 

5  else 

6  return  0 


Pr[Pg-  ();Q^^’P(— ;r);W^£^'(H,P,Q)  : 

( I Q I  =  |W|  =*  3j  e  {l, . . . ,  |Q|} .  (Q[j][i],  W[j])  £  R) 

A  V(s,  cr)  g  Q,  (t,  r)  g  P  .  Verify(s,  a)  =  1  A  cr  yf  r]  <  p(\x\) 


where  A{ — ;  r)  denotes  running  adversary  A  with  an  empty 
input  and  random  coins  r,  where  H  is  a  transcript  of  the 
random  oracle ’s  input  and  output,  and  where  oracles  A'  and 
V  are  defined  below: 

•  A! ().  Computes  Q'  g-  A( — ;r),  forw’arding  any  of  A’s 
oracle  calls  to  1C,  and  outputs  Q7.  By  running  A{ — ;  r), 
K,  is  rewinding  the  adversary. 

•  V(s).  Computes  cr  g-  5(s);P  g-  (P [1] , . . . ,  P[|P|], 
(s,cr))  and  outputs  a. 

Algorithm  1C  is  an  extractor  for  (Prove,  Verify). 


Our  definition  of  simulation  sound  extractability  in  the  random 
oracle  model  is  an  analogue  of  Groth’s  definition  in  the 
common  reference  string  model  64  §2].  (See  Bernhard  et 


al.  1 20  §1]  for  a  detailed  comparison.)  Our  presentation  of 


simulation  sound  extractability  differs  from  the  presentation 
by  formalizing  some  of  the  details, 
show  that  non-interactive  proof  sys- 


by  Bernhard  et  al.  1 20 
Bernhard  et  al.  20 


terns  derived  using  the  Fiat-Shamir  transformation  satisfy  zero 
knowledge  and  simulation  sound  extractability: 


Proposition  10.  Given  an  election  scheme  II,  we  have 

MA  3  pMk  .  Succ(Exp-IV-Ext(n,  A,  k))  <  p{k) 

V47  3  p!  W  .  Succ(Exp-IV-Ext,(II,  A',  k'))  <  pfk1), 

where  A  and  A!  are  PPT  adversaries,  p  and  p!  are  negligible 
functions,  and  k  and  k'  are  security  parameters. 

Intuitively,  if  A  can  predict  the  output  of  Vote,  then  A  can  use 
that  prediction  to  generate  a  collision.  And  if  A  can  generate 
collisions,  then  A  can  use  them  to  predict  outputs. 

Proof.  For  the  forward  implication,  suppose  A!  is  a 
PPT  adversary  such  that  Succ(Exp-IV-Ext7(II,  A',  k'))  > 
yyyy  for  some  polynomial  p  and  security  parameter 
k'.  We  construct  an  adversary  A  against  Exp-IV-Ext. 
On  input  k',  adversary  A  computes  (PKp,nc,  P,b)  g- 
A'[k')  and  outputs  (PKj-,nc,  /3,  fi).  Since  Al  wins 
Exp-IV-Ext7  with  non-negligible  probability,  we  have 

Pr[f/  \/ote(PKr ,  nc,  /?,  k')  :  b  =  b’  A  b  yf  _L]  >  }  . 

P{k  ) 

Moreover,  since  calls  to  algorithm  Vote  are  independent,  we 
have 


Theorem  9  (from  ]20j).  Let  E  be  a  sigma  protocol  for  relation 
R,  and  let  FI  be  a  random  oracle.  If  E  satisfies  special 
soundness  and  special  honest  verifier  zero  knowledge,  then 
FS(Tj,FL)  satisfies  simulation  sound  extractability. 

The  Fiat-Shamir  transformation  can  be  generalized  to  in¬ 
clude  an  optional  string  m  in  the  hashes  produced  by  functions 
Prove  and  Verify.  We  write  Prove(s,  w,  m)  and  Verify(s, 
(comm,  resp),  to)  for  invocations  of  Prove  and  Verify  which 
include  an  optional  string.  When  to  is  provided,  it  is  included 
in  the  hashes  in  both  algorithms.  That  is,  given  FS(E ,FL)  = 
(Prove,  Verify),  the  hashes  are  computed  as  follows  in  both 
algorithms:  chal  «—  7f(comm,  s,  to).  Theorem  [9]  can  be  ex¬ 
tended  to  this  generalization. 

Appendix  B 
Variants  of  Exp- IV 

Our  individual  verifiability  experiment  with  external  au¬ 
thentication  Fjll-Blji  can  be  equivalently  formulated  as  an 
experiment  that  challenges  A  to  predict  the  output  of  Vote: 

31We  extend  set  membership  notation  to  vectors:  we  write  X  (_  x  if  x  is 
an  element  of  the  set  {x[i]  :  1  <  i  <  |x| } 


Pr[6i  «-  Vote(.PAr,  nc,  /?,  k') ; 

b2  <-  \/ote(PK r,  nc,  k') 

:  61  =  b  A  b2  =  b  A  bx  ^  _L  A  b-2  _L]  >  p^,y2 


It  follows  that  Succ(Exp-IV-Ext(II,  A,  k'))  >  p^,y  ■ 

For  the  reverse  implication,  sup¬ 

pose  A  is  a  PPT  adversary  such  that 
Succ(Exp-IV-Ext(II,  A,  k))  >  for  some  polynomial 

p  and  security  parameter  k.  We  construct  an  adversary  Al 
against  Exp-IV-Ext7.  On  input  k,  adversary  _47  computes 
{PKr,  nc,  /3i ,  /?2 )  A{k)\ bi  <-  Vote(PAr,  nc,  fii,  k)  and 
outputs  (PA 7-,  nc,  @2,  bi).  Since  A  wins  Exp-IV-Ext  with 
probability  no  less  than  y^y,  we  have 


Pr[62  <-  Vot e(PKr,  nc,  P2,  k)  :  bi 


62  A  foi  yf  J_]  > 


1 

p(k) ' 


It  follows  that  Succ(Exp-IV-int7(II,  Al ,  k))  >  y^y.  □ 


Our  individual  verifiability  experiment  with  internal  authen¬ 
tication  F|1V-B  1  [1  can  also  be  reformulated  as  an  experiment 
that  challenges  A  to  predict  the  output  of  Vote  algorithms: 
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Exp-IV-lnt'(n,  A,k)  = 

1  {PK'f,nv)-^A{k)\ 

2  for  1  <  i  <  ny  do  {pki7  ski)  <—  Register  {PKj- ,  fc) 

3  Li-  {pk11...,pknv}\ 

4  Crpt  <—  0; 

5  ( nc,P,i,b )  <-  AC{L)\ 

6  b'  <—  Vot e{ski,  PKp,  nc,  P,  k)\ 

7  if  b  =  b'  A  b'  7^  _L  A  sfci  fL  Crpt  then 

8  |  return  1 

9  else 

10  return  0 


Similarly  to  Section  IV-B1  the  adversary  is  given  access  to 


oracle  C  and  the  voter  index  output  on  line  5  must  be  legal 
with  respect  to  ny- 

Experiment  Exp-IV-Int7  is  strictly  stronger  than  our  original 
experiment  Exp-IV-Int,  since  predicting  the  output  of  Vote 
does  not  imply  the  existence  of  collisions,  whereas  collisions 
can  be  used  to  predict  the  output  of  Vote.  For  instance, 
consider  the  following  variant  of  Nonce  (Definition  |5J: 


Definition  24.  Election  scheme  Nonce7  is  defined  as  follows: 

•  Setup(fc)  outputs  (_L,  _L,  oo,  oo). 

•  Register(PJf-7-,  k)  computes  r  £  Z 2fc  and  outputs  (r,  r). 

•  Vote(r,  PK p,  nc,  P,  k)  outputs  ( r,P ). 

•  Tally(Pif7-,  SK p,  BB,  L,  nc,  k)  computes  a  vector  X  of 
length  nc,  such  that  X  is  a  tally  of  the  votes  on  BB  for 
which  the  nonce  is  in  L,  and  outputs  (X,  _L). 

•  Verify  (PR-]-,  BB,  L,  nc,  X,  P,  k)  outputs  1  ;/(X,P)  = 
Tally(_L,  _L,  BB,  L,  nc,  k)  and  0  otherwise. 


Intuitively,  an  adversary  can  predict  the  output  of  Vote, 
because  the  algorithm  is  deterministic  and  the  electoral  roll 
lists  private  credentials.  However,  the  Register  algorithm  en¬ 
sures  that  voters’  credentials  are  distinct  with  overwhelming 
probability,  hence,  instantiations  of  the  Vote  algorithm  with 
distinct  voter  credentials  will  never  collide. 


Proposition  11.  Given  an  election  scheme  n,  PPT  adver¬ 
sary  A,  negligible  function  p,  and  security  parameter  k,  if 
Succ(Exp-lV-lnt7(n,  A,  k))  <  p(k),  then  there  exists  a  PPT 
adversary  B  such  that  Succ(Exp-IV-lnt(n,  B,  k))  <  p(k). 


The  proof  of  Proposition 
tion  proof  of  Proposition 


11 
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is  similar  to  the  reverse  implica- 


Appendix  C 
Helios  4.0  Scheme 


We  formalize  a  generic  construction  for  Helios-like  election 
schemes  (Figure  [TJ.  Our  construction  is  parameterized  on 
the  choice  of  homomorphic  encryption  scheme  and  sigma 
protocols. 

Setup  generates  the  tallier’s  key  pair.  The  public  key  in¬ 
cludes  a  non-interactive  proof  that  the  key  pair  is  correctly 
constructed.  Vote  takes  a  choice  p  £  { 1, . . . ,  nc}  and  outputs 
ciphertexts  ci, . . . ,  c„c_  1  such  that  if  p  <  nc,  then  ciphertext 
cp  contains  plaintext  1  and  the  remaining  ciphertexts  contain 
plaintext  0,  otherwise,  all  ciphertexts  contain  plaintext  0.  Vote 


also  outputs  proofs  <ti  , . . . ,  <t„0  so  that  this  can  be  verified, 
in  particular,  proof  Oj  demonstrates  that  the  ciphertext  Cj 
contains  0  or  1  for  all  1  <  j  <  nc  —  1,  and  the  proof  anc 
demonstrates  that  the  homomorphic  combination  of  ciphertexts 
Ci®  -  ■  ■ ®cnc  contains  0  or  1  (i.e.,  the  voter’s  ballot  contains  a 
vote  for  exactly  one  candidate).  Tally  homomorphic  ally  com¬ 
bines  ciphertexts  representing  votes  for  a  particular  candidate 
and  decrypts  the  homomorphic  combinations.  The  number  of 
votes  for  a  candidate  p  £  {1  ,...,nc  —  1}  is  simply  the 
homomorphic  combination  of  the  ballots  for  that  candidate; 
the  number  of  votes  for  candidate  nc  is  equal  to  the  number  of 
votes  for  all  other  candidates  subtracted  from  the  total  number 
of  valid  ballots  on  the  bulletin  board.  Verify  checks  that  each 
of  the  above  steps  has  been  performed  correctly. 

Lemmata  [T2]jT4|  demonstrate  that  generalized  Helios  is  a 
construction  for  election  schemes. 

Lemma  12.  Helios(T,  £1,  £2,  S3,  PL)  satisfies  Correctness, 
where  T,  Si,  £2,  £3  and  PL  satisfy  the  preconditions  of 
Figure  [7] 

The  proof  of  Lemma  [12]  is  similar  to  the  proof  of  Proposi¬ 
tion  [IT] 

Lemma  13.  Suppose  T,  Si,  S2,  S3  and  PL  satisfy  the 
preconditions  of  Figure  [7]  Further  suppose  that  S2  satisfies 
special  soundness  and  special  honest  verifier  zero-knowledge, 
and  PL  is  a  random  oracle.  We  have  Helios(T,  Si,  S2,  S3,  PL) 
satisfies  Completeness. 

Proof.  Let  Helios(T,  Si,  S2,  S3,  PL)  =  (Setup,  Vote, 
Tally,  Verify),  FS(£i,P)  =  (ProveKey,  VerKey), 
RS(Y,2,PL)  =  (ProveCiph, VerCiph),  and  FS(£3,77)  = 

(ProveDec,  VerDec).  Suppose  A:  is  a  security  parameter,  BB 
is  a  bulletin  board,  and  nc  is  an  integer.  Further  suppose 
{PK p,  sk)  is  a  key  pair,  ms  and  me  are  integers,  and  (X,  P) 
is  a  tally,  such  that  {PKp,  sk,  ms,  me)  •<—  Setup(fc)  and 
(X,  P)  ■£-  Ta\\y{PK'p,  sk,  BB ,nc,k).  Moreover,  suppose 
\BB\  <  ms-  We  focus  on  the  case  nc  >  1;  the  case  nc  =  1 
is  similar.  By  definition  of  Setup,  there  exist  coins  s  such 
that  {pk,sk,  m)  =  Gen(lfc;s),  PKj-  ■<—  {pk,m,  p)  and  ms 
is  the  largest  integer  such  that  {0, . . . ,  rag}  C  m,  where  p  is 
an  output  of  ProveKey((lfe,  pk,  m),  {sk,  s)).  By  definition  of 
Tally,  we  have  X  is  a  vector  of  length  nc  and  P  is  a  vector 
of  length  nc  —  1.  It  follows  that  Verify  can  successfully 
parse  X,  P,  and  PK 7-.  Moreover,  by  the  completeness 
of  (ProveKey,  VerKey),  we  have  VerKey((lfc,  pk,  m),  p) 
=  1  with  overwhelming  probability.  Let  {bi,...,bi}  be 
the  largest  subset  of  BB  satisfying  the  conditions  given 
by  the  tally  algorithm.  If  {61,...,  be}  =  0,  then  X  is  a 
zero-filled  vector  and  Verify  outputs  1,  concluding  our  proof, 
otherwise,  we  proceed  as  follows.  Since  be}  is  a 

subset  of  BB,  we  have  £  <  ms-  By  definition  of  Tally, 
we  have  for  all  1  <  i  <  £  that  VerC\p\\{{pk,bi[j], 

{0,1}),  M.7  +  nc  —  l],j)  =  1.  By  Theorem  [9]  we  have 
(ProveCiph,  VerCiph)  satisfies  simulation  sound  extractability, 
hence,  for  all  1  <  i  <  £  and  all  1  <  j  <  nc  —  1  we  have 
bi[j]  is  a  ciphertext  with  overwhelming  probability.  It 
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Fig.  1  Generalized  Helios 

Suppose  F  =  (Gen,  Enc,  Dec)  is  an  additively  homomorphic  asymmetric  encryption  scheme  with  a  message  space  that,  for 
sufficiently  large  security  parameters,  includes  {0, 1},  E]  proves  correct  key  construction,  E2  proves  plaintext  knowledge  in 
a  subspace,  E3  proves  correct  decryption,  and  H  is  a  hash  function.  Let  FS(Ei,%)  =  (ProveKey,  VerKey),  FS(E2 ,T~L)  = 
(ProveCiph,  VerCiph),  and  FS(E3,"H)  =  (ProveDec,  VerDec).  We  define  generalized  Helios  Flelios(r,  Ei,  E2,  E3,  H )  = 
(Setup,  Vote,  Tally,  Verify)  as  follows. 

•  Setup(fc).  Select  coins  s,  compute  ( pk ,  sk,  m)  <—  Gen(lfe;  s);  p  <—  ProveKey((lfe,  pk ,  m),  (sk,  s));  PKj-  {pk,  m,  p),  let 
ms  be  the  largest  integer  such  that  {0, . . . ,  mg}  C  m,  and  output  {PK 7-,  sk,  ms,  00). 

•  \/ote{PK'j-,nc,  /3,k).  Parse  PK 7-  as  a  vector  {pk,m,p).  Output  _L  if  parsing  fails  or  VerKey((lfe,  pk,  m),  p)  yf  1  V  /3 
{1, . . . ,  nc}-  Select  coins  r  1, . . . ,  r„c_i  and  compute: 

for  1  <  j  <  nc  —  1  do 

if  j  =  p  then  rrij  •<—  1  else  rrij  <—  0 
Cj  <r-  Enc {pk,rrij\rj)\ 

_  <7j  <-  ProveCiph((pfc,  Cj,  {0, 1}),  {rrij,r j),j) 

C  i  Cl  0  •  *  *  0  Cn<7_  1; 

m  4 —  mi  ©  •  •  •  ©  mnc-i\ 

r  <r- ri®  ■■  ■  ®rnc-i; 

onc  <-  ProveCiph((pfc,  c,  {0, 1}),  (m,  r),nc) 

Output  ballot  (ci, . . . ,  cnc_i,  cti,  . . . ,  anc). 

•  Tally(.P./T 7-,  sk,  BB,  nc,  k).  Initialize  vectors  X  of  length  nc  and  P  of  length  nc  —  1.  Compute  for  1  <  j  <  nc  do 
X[j]  •*—  0.  Parse  PK  7-  as  a  vector  {pk,m,p).  Output  (X,  P)  if  parsing  fails.  Let  {bi,...,  be}  be  the  largest  subset  of 
BB  such  that  for  all  1  <  i  <  i  we  have  bi  is  a  vector  of  length  2  •  nc  —  1  and  /\”fi  1  VerCiph((p/c,  b,.[j],  {0, 1}),  bt[j  + 
nc  -  1],  j)  =  1  A  VerCiph((pfc,  6,[1]  ®  •  •  •  ®  bi[nc  -  1],  {0, 1}),  b* [2  •  nc  -  1  ],«c)  =  1.  If  {h, . . .  ,be}  =  0,  then  output 
(X,  P),  otherwise,  compute: 

for  1  <  j  <  nc  —  1  do 

X[j]  <—  D ec{pk,  sk,  c); 

P[j]  •<—  ProveDec((pfc,  c,  X[j]),  sk) 

X[nc]^i~  E^r'Xb']; 

Output  (X,  P). 

•  Verify(PX7-,  BB,  nc,  X,  P,  k).  Parse  X  as  a  vector  of  length  nc,  parse  P  as  a  vector  of  length  nc  —  1,  parse  PK 7-  as 

a  vector  {pk,  m,  p).  Output  0  if  parsing  fails  or  VerKey((l k ,pk,  tn),  p)  yf  1.  Let  {b\, . . . ,  bi}  be  the  largest  subset  of  BB 
satisfying  the  conditions  given  by  the  tally  algorithm  and  let  ms  be  the  largest  integer  such  that  {0, . . . ,  mg}  C  m.  If 
{&i,  ...,bi}  =  0A/\"°i  X[j]  =  Oor  Ajfr1  VerDec((pfc,&i[j]®--  X[j]),  P[j])  =  lAX[nc]  =  Xb1 A 

1  <  i  <  ms ,  then  output  1,  otherwise,  output  0. 

The  above  algorithms  assume  nc  >  1  and  we  define  special  cases  of  Vote,  Tally  and  Verify  when  nc  =  1: 

•  \Zote{PK'/-,  nc,  f3,  k).  Parse  PK 7-  as  a  vector  {pk,  m,  p).  Output  _L  if  parsing  fails  or  VerKey((l k ,pk,  m),  p)  yf  1 V/3  yf  1. 
Select  coins  r,  compute  m  A-  1;  c  •< —  En c{pk,  m\r);a  A-  ProveCiph((pfc,  c,  {0, 1}),  (to,  r)),  and  output  ballot  (c,  tr). 

•  Tally(PX7-,  sk,  BB,  nc,  k).  Initialize  X  and  P  as  vectors  of  length  1.  Compute  X[l]  ■<—  0.  Parse  PK 7-  as  a  vector 

{pk,m,p).  Output  (X,  P)  if  parsing  fails.  Let  {bi, . . .  ,b(}  be  the  largest  subset  of  BB  such  that  for  all  1  <  i  <  £ 
we  have  bi  is  a  vector  of  length  2  and  VerCiph((pA;,  [1] ,  {0, 1}),  6j[2])  =  1.  If  {bi, . . .  ,be}  =  0,  then  output  (X,  P). 
Otherwise,  compute  c  <—  [1]  ®  •  •  •  (g>  X[l]  •<—  Dec{pk,  sk,  c);  P[l]  •<—  ProveDec((pA;,  c,  X[l]),  sk)  and  output 

(X,P). 

•  Verify(PX7-,  BB,  nc,  X,  P,  k).  Parse  X  and  P  as  vectors  of  length  1,  and  parse  PKj-  as  a  vector  {pk,  m,  p).  Output  0  if 
parsing  fails  or  VerKey((lfc,  pk,  m),  p)  yf  1.  Let  {£>1 , . . . ,  bi}  be  the  largest  subset  of  BB  satisfying  the  conditions  given 
by  the  tally  algorithm  and  let  ms  be  the  largest  integer  such  that  {0, . . . ,  ms}  C  m.  If  {61, . . . ,  bi}  =  0  A  X[l]  =  0  or 
VerDec((pfc,  &i[l]  <S>  •  •  •  ®>  6^ [1] ,  X [1] ) ,  P[l])  =  1  A  1  <  £  <  ms,  then  output  1,  otherwise,  output  0. 


follows  for  all  1  <  j  <  nc  —  1  that  b\  [j]  ®  •  •  •  ®  bi  [j]  is 
a  ciphertext  with  overwhelming  probability.  By  definition 
of  Tally  and  the  completeness  of  (ProveDec,  VerDec),  we 
have  A"=i-1  VerDec((pMi[j]  ®  •••  ®  t>e\j],X.\j]),P[j])  = 


1 A X[nc]  =  £—  E^1  x[i]  wilh  overwhelming  probability, 
hence.  Verify  outputs  1  with  overwhelming  probability, 
concluding  our  proof.  □ 

Definition  25  (Collision-free).  Suppose  T  =  (Gen,  Enc,  Dec) 
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is  an  asymmetric  encryption  scheme,  £3  proves  correct  key 
construction,  Tl  is  a  hash  function,  and  m  is  a  message  space. 
Let  FS(£i,"H)  =  (ProveKey,  VerKey).  If  for  all  security 
parameters  k,  public  keys  pk,  proofs  p,  messages  m\ ,  m2  £  m, 
and  coins  r\  and  r%  we  have 

VerKey((lfc,  pk,  m ),p)  =  1  A  (mi  /  m2  V  ri  /  rf) 

=>  Endj>k,mi\ri)  Enc(pfc,  m2;  r2) 

Then  we  say  V  is  collision-free  for  m. 

Lemma  14.  Suppose  I  ,  £1,  £2,  £3  and  Tl  satisfy  the 
preconditions  of  Figure  [7]  Further  suppose  I  is  collision- 
free  for  {0,1}.  We  have  Helios(r,  £1,  £2,  £3,  FI)  satisfies 
Injectivity. 

Proof.  Let  Helios(r,  £1,  £2,  £3,  FL)  =  (Setup.  Vote,  Tally, 
Verify),  T  =  (Gen,  Enc,  Dec),  and  FS(£i,'H)  =  (ProveKey, 
VerKey).  Suppose  k  is  a  security  parameter,  PKp  is  a  public 
key,  nc  is  an  integer,  and  3  and  fi'  are  choices  such  that 
/3  7^  j3'.  Further  suppose  b  and  b'  are  ballots  such  that 
b  *—  \lote(PKp,  nc,  ft,  k),  b'  Vot e(PKp,nc,  fi' ,k), 

b  - L,  and  b'  7^  _L.  By  definition  of  Vote,  we  have  PK 7-  is  a 
vector  (pk,m,  p)  and  VerKey((lfe,  pk,  m),  p)  =  1.  Moreover, 
there  exist  coins  r  and  r'  such  that 

6(11  =  Enc(pfc,  m;r),  where  m  =  <  ?!  ,  } 

1  J  ’  \  0  otherwise 


satisfied.  Correctness  follows  immediately  from  Lemma  12 
And  we  show  that  Completeness  and  Injectivity  are  also 
satisfied. 

§4]  remark  that 


First,  Completeness.  Bernhard  et  al.  1 20 


the  sigma  protocol  used  by  Helios  4.0  to  prove  plaintext 
knowledge  in  a  subspace  satisfies  satisfy  special  soundness 
and  special  honest  verifier  zero  knowledge,  hence,  Helios  4.0 
satisfies  Completeness  by  Lemma  [j~3| 

Secondly,  Injectivity.  A  non-interactive  proof  system 
(ProveKey,  VerKey)  derived  from  a  sigma  protocol  for  prov¬ 
ing  correct  key  construction  is  sufficient  to  ensure  that  El 
Gamal  is  collision-free,  assuming  algorithm  VerKey  guaran¬ 
tees  that  public  keys  are  constructed  from  suitable  parameters: 
if  VerKey((lfe,  pk,  {0, 1}),  p)  =  1,  then  there  exists  p,  q,  g  and 
h  such  that  pk  =  ( p ,  q ,  g ,  h)  and  ( p ,  q ,  g)  are  cryptographic 
parameters — i.e.,  p  =  2  •  q  +  1,  \q\  =  k,  and  g  is  a  generator 
of  Z*  of  order  q. 


Lemma  15.  Suppose  £1  is  a  sigma  protocol  that  proves 
correct  key  construction  and  Tl  is  a  hash  function.  Let 
FS(£i,’H)  =  (ProveKey,  VerKey).  Further  suppose  for  all 
security  parameters  k,  public  keys  pk,  and  proofs  p,  we  have 
VerKey((lfe,  pk,  {0, 1}),  p)  =  1  implies  h  7^  0  and  there  exists 
p,  q,  g  and  h  such  that  pk  =  (p,  q ,  g ,  h)  and  {p,  q ,  g)  are  cryp¬ 
tographic  parameters.  It  follows  that  additively  homomorphic 
El  Gamal  is  collision-free  for  {0, 1}. 


and 


6/ [1]  =  Enc(pA;,  m';  r'),  where  m!  = 


1  if  fi’  =  1 
0  otherwise 


Since  /3  7^  /?',  we  have  m  7^  ml .  Furthermore,  since  T  if 
collision-free  for  {0,1},  we  have  6(1]  7^  f/[l]  and,  therefore, 
b^b'.  □ 


Generalized  Helios  can  be  instantiated  to  derive  Helios  4.0: 


Definition  26  (Helios  4.0).  Helios  4.0  is  Helios(r,  £1,  £2 
Tl),  where  T  is  additively  homomorphic  El  Gamal  [43 
£1  is  the  sigma  protocol  for  proving  knowledge  of  discrete 
logarithms  by  Chaum  et  al.  }29|  Protocol  2],  £2  is  the  sigma 


, 

m 


protocol  for  proving  knowledge  of  disjunctive  equality  between 
discrete  logarithms  by  Cramer  et  al.  I\42\  Figure  1  ],  £3  is 
the  sigma  protocol  for  proving  knowledge  of  equality  between 
discrete  logarithms  by  Chaum  and  Pedersen  f[30\  $3.2],  and 
Tl  is  a  random  oracle. 


Although  Helios  actually  uses  SHA-256  |98|,  we  assume  that 
Ti  is  a  random  oracle  to  prove  Theorem  [2]  Moreover,  we 
assume  the  sigma  protocols  used  by  Helios  4.0  satisfy  the 
preconditions  of  generalized  Helios — that  is,  |29]  Protocol  2] 
is  a  sigma  protocol  for  proving  correct  key  construction,  J42) 
Figure  1]  is  a  sigma  protocol  for  proving  plaintext  knowledge 
in  a  subspace,  and  [30]  §3.2]  is  a  sigma  protocol  for  proving 
decryption.  We  leave  formally  proving  this  assumption  as 
future  work. 

To  show  that  Helios  4.0  is  an  election  scheme,  we  must 
demonstrate  that  Correctness,  Completeness  and  Injectivity  are 


Proof.  Suppose  k  is  a  security  parameter,  pk  is  a  public  key, 
p  is  a  proof,  mi,  m2  £  {0,1}  are  messages  and  n  and  r2 
are  coins  such  that  VerKey((lfc,  pk,  {0, 1}),  p)  =  1,  toi  7^ 
m2  V  Ti  7^  r2,  pk  =  {p,  q,  g,  h )  and  ( p ,  q,  g)  are  cryptographic 
parameters,  for  some  p,  q,  g  and  h.  Further  suppose  that 
Ci  and  C2  are  ciphertexts  such  that  Ci  =  Er\c(pk,  mi;  r±), 
C2  =  Enc(pfc,  m2;  72),  and  Enc  is  El  Gamal’s  encryption 
algorithm.  If  ri  f  r-2.  then  we  proceed  as  follows.  By  def¬ 
inition  of  Enc,  we  have  Ci[l]  =  gri  (mod  p)  and  C2[l]  =  gr2 
(mod  p).  Since  ri  and  r2  are  distinct,  we  have  gri  ^  gr2 
(mod  p).  (We  implicitly  assume  that  coins  ri  and  r2  are 
selected  from  the  coin  space  Z*,  hence,  gri  =  gri  mod  p 
and  gr 2  =  gr2  mod  p.)  It  follows  that  ci  7^  C2.  Otherwise 
(ft  =  t 2),  we  have  mi  7^  m2  and  we  proceed  as  follows. 
By  definition  of  Enc,  we  have  Ci[2]  =  hri  ■  g™  (mod  p)  and 
c2  [2]  =  h1"2  ■  gif  (mod  p).  Since  ( p,q,g )  are  cryptographic 
parameters  and  h  7^  0,  we  have  hri  ^  hri  ■  g  (mod  p),  which 
is  sufficient  to  conclude,  because  mi, m2  £  {0, 1}.  □ 


The  sigma  protocol  for  proving  knowledge  of  discrete  log¬ 
arithms  by  Chaum  et  al.  [[29]  Protocol  2]  does  not  explic¬ 
itly  require  the  suitability  of  cryptographic  parameters  to  be 
checked,  hence.  Lemma  15  is  not  immediately  applicable. 
Nonetheless,  we  can  trivially  make  the  necessary  checks 
explicit  and,  hence,  the  non-interactive  proof  system  derived 
from  the  sigma  protocol  for  proving  knowledge  of  discrete 
logarithms  by  Chaum  et  al.  is  sufficient  to  ensure  that  El  Gamal 
is  collision-free.  It  follows  that  Helios  4.0  satisfies  Injectivity, 
hence,  Helios  4.0  is  an  election  scheme. 
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Appendix  D 

Proof:  Helios  4.0  is  Verifiable 


Elections  schemes  constructed  from  generalized  Helios 
satisfy  individual  (j:D-A|>  and  universal  (}D-B[)  verifiability, 
hence,  such  schemes  satisfy  election  verifiability  with  external 
authentication  (§D-C|l.  It  follows  that  Helios  4.0  satisfies 
election  verifiability  (§D-D  i. 


A.  Individual  verifiability 

Proposition  16.  Suppose  F,  Si,  S2,  S3  and  Ft.  satisfy  the 
preconditions  of  Figure  [7]  Further  suppose  that  1  is  collision- 
free  for  {0,1}.  We  have  Helios(r,  Si,  S2,  S3,  FI)  satisfies 
individual  verifiability. 


The  proof  of  Proposition 
Lemma  [14] 


16  is  similar  to  the  proof  of 


Proof.  Let  Helios(r,  Sx,  S2,  S3, FI )  =  (Setup.  Vote,  Tally, 
Verify)  and  FS(Si,7f)  =  (ProveKey, VerKey).  Suppose  k 
is  a  security  parameter,  PK 7-  is  a  public  key,  tic  is  an 
integer,  and  fi  and  S’  are  choices.  Further  suppose  that  b 
and  b'  are  ballots  such  that  b  4—  Vote(P/l 7-,  nc,  fi,  k), 
b'  £-  \Jote(PKp,nc,  fi’ ,k),  b  7^  ±,  and  b'  A  _L.  By 
definition  of  Vote,  we  have  PK 7-  parses  as  a  vector  ( pk ,  m,  p) 
and  VerKey((lfe,  pk,  m),  p)  =  1.  Moreover,  6[1]  and  b'[  1] 
are  ciphertexts  such  that  6[1]  4—  Enc(pfc,m)  and  £»' [1]  4— 
En c(pk,m'),  where  to,  to'  €  {0,1}.  Furthermore,  the  ci¬ 
phertexts  are  constructed  using  random  coins — i.e.,  the  coins 
used  by  6[1]  and  b'[  1]  will  be  distinct  with  overwhelming 
probability.  Since  F  is  collision-free  for  {0, 1},  we  have 
&[1]  7^  b'[l]  and  b  b'  with  overwhelming  probability, 
concluding  our  proof.  □ 


B.  Universal  verifiability 

Proposition  17.  Suppose  F,  Si,  S2,  S3  and  Ft.  satisfy  the 
preconditions  of  Figure  [7]  Further  suppose  that  Si,  S2 
and  S3  satisfy  special  soundness  and  special  honest  veri¬ 
fier  zero-knowledge,  and  FI  is  a  random  oracle.  We  have 
Helios(r,  Si,  S2,  S3,  FI)  satisfies  universal  verifiability. 

Proof.  Let  n  =  Helios(r,  Si,  S2,  S3,  FI)  =  (Setup,  Vote, 
Tally, Verify),  FS(Si,%)  =  (ProveKey, VerKey),  FS(S2, 
FL)  =  (ProveCiph,  VerCiph),  and  FS(S3,7f)  =  (ProveDec, 
VerDec).  By  Theorem  [9]  each  of  the  non-interactive  proof 
systems  satisfies  simulation  sound  extractability. 

Suppose  k  is  a  security  parameter  and  A  is  a  PPT  adversary. 
Further  suppose  that  an  execution  of  Exp-UV-Ext(n,  A,  k) 
computes 

{PKr,  BB,  nc,  X,  P)  <r-  A(k); 

Y  4—  correct-tally(PKp,  BB ,nc ,k) 

such  that  \/er\fy(PKp,  BB,  nc,  X,  P,  k)  =  1.  (If  Verify( 
PKp,  BB,nc,~X-,  P,k)  7^  1,  then  we  can  conclude  imme¬ 
diately.)  We  focus  on  the  case  nc  >  1;  the  case  nc  =  1  is 
similar. 

By  definition  of  the  verification  algorithm,  vector  X  is  of 
length  nc  and  P  is  a  vector  of  length  nc  —  1.  Moreover,  PK 7- 


is  a  vector  (pk,  m,  p).  Let  {hi, . . . ,  be}  be  the  largest  subset  of 
BB  such  that  for  all  1  <  i  <  £  we  have  b,  is  a  vector  of  length 
2  •  nc  -  1  and  VerCiph((pfc,  bfij],  {0, 1}),  A [7  +  nc  - 

1],  j)  =  lAVerCiph((pfc,6i[l]0---®hj[nc-l],{0, 1}),A[2- 

nc  -  1  ],nc)  =  1. 

We  have  for  all  choices  fi  £  {l,...,nc},  coins  r  and 
ballots  b  =  \Jote(PKp,  nc,  fi,  fc;  r )  that  b  BB\{b\, . . . ,  be} 
with  overwhelming  probability,  since  such  an  occurrence 
would  imply  a  contradiction:  {61,..., be}  is  not  the  largest 
subset  of  BB  satisfying  the  conditions  given  by  the  tally 
algorithm,  because  6  is  a  vector  of  length  2  •  nc  —  1  such 
that  A"=i_1  VerCiph((pfc,6[j],{0,  l}),b\j +  nc  ~l],j)  =  1A 
VerCiph((pfc,  6[l]<g>-  ■■®b[nc- 1],  {0, 1}),  b[2-nc~l],nc)  = 
1  with  overwhelming  probability,  but  b  {bi,...,be}.  It 
follows  that: 

correct-tallyfPK'j-,  BB,  nc,  k) 

=  correct-tally  (PKp,  {61, . . . ,  be},  nc,  k)  (1) 

A  proof  of  0  follows  from  the  definition  of  function 

correct-tally . 

We  proceed  by  distinguishing  two  cases. 

Case  I:  {61,..., bf}  =  0.  By  definition  of  function 

correct-tally  and  <|T},  we  have  Y  is  a  vector  of  length  nc 
such  that  A”=i  Y[j]  =  0.  Since  A i=j  X[}]  =  0,  we  have 
X  =  Y  by  definition  of  the  verification  algorithm. 

Case  II:  {bi, . . .  ,bf}  7^  0.  By  definition  of  the  verification 
algorithm,  we  have  VerKey((lfc,  pk,  m),  p)  =  1.  Moreover, 
by  simulation  sound  extractability,  we  are  assured  that  pk  is 
an  output  of  Gen  with  overwhelming  probability — i.e.,  there 
exists  s  and  sk  such  that  (pk,sk,  m)  =  Gen(lfc;s). 

By  simulation  sound  extractability,  with  overwhelming 
probability,  for  all  1  <  i  <  £  there  exists  messages  m^i, 
. . . ,  TOi,no_  1  e  {0, 1}  and  coins  n,  1, . . . ,  rij2.nc_2  such  that 
for  all  1  <  j  <  nc  —  1  we  have 

bi[j  +  nc~  1]  =  ProveCiph((pfc,  bfij],  {0, 1.}), 

imi,j ,  ri,j+nc  —  l) 

and 

bfj]  =  Enc  (pk,mij;rij). 

Moreover,  for  all  1  <  i  <  i  we  have  '  rni.:i  €  {0, 1} 

and  there  exist  coins  rji2.„c_i  such  that 

bi[ 2  ■  nc  —  1]  =  ProveCiph(pA;,  c,  {0, 1}), 

(m,r),nc;rit2-nc- 1) 

with  overwhelming  probability,  where  c  <—  A  [l]®-  •  • ®>A[nc — 
1],  to  <-  miti  ©  •  •  •  ©  mi}nc-i,  and  r  4-  riti  ©  •  •  •  ©  ri>nc- 1. 

By  inspection  of  Vote,  for  all  1  <  i  <  £  there  exists  fi, ,  r, 
such  that 

h  =  Vot e(PKr,  nc,  A,  &;  n) 

and  either  A  =  nc  A  A 7=1” 1  mbo  =  0  or  A  €  {1, . . . ,  nc  — 

1}  A  mi  pi  =  1  A  Aje{i,„.l(g4-i,04+i,...,no-i}  =  ^ 

follows  for  all  1  <  *  <  £  and  1  <  j  <  nc  —  1  that: 

rriij  =  0  A  =  nc  V  A  A  j  (2) 
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mi,j  =  1  A  =  3  (3) 

Moreover,  for  all  1  <  i  <  £  we  have: 

"C-l 

TOij  =  0  A  =  nc  (4) 

i=i 

Furthermore,  we  have  the  following  facts: 

Fact  1.  For  all  integers  (3  and  k  such  that  1  <  /3  <  nc,  we 
have: 

3=kbG({h,...,be}\{±})  : 

3 r  :  b  =  \lote(PKq nc,  A  k ;  r) 

«=*  3=*»€{l,...^}:/9  =  A 

Fact  2.  For  all  integers  j  and  k  such  that  1  <  j  <  nc  —  1, 
we  /lave: 

e. 

3=ki  G  {1,  fa  =  j 

i- 1 

Proof  of  Fact  [2]  For  the  forward  implication,  suppose  j,  k  are 
integers  such  that  1  <  j  <  nc  —  1  and  3_fei  £  {1, . . .  A}  : 
A  =  3-  We  proceed  by  induction  on  L  In  the  base  case 
(£  =  0),  we  have  k  =  0,  hence,  k  =  I*1  the 

inductive  case,  we  distinguish  two  cases.  Case  I:  3=ki  £ 
{1,  —  1  }'■  Pi  =  j  holds.  We  have  A  £  j  by  definition 

of  the  counting  quantifier  and,  hence,  m,;j  =  0  by  (|2j».  By  our 
induction  hypothesis,  we  derive  k  =  E;=i  m*,i  =  Ei=i  m*,i- 
Case  II:  3=ki  £  { 1 , . . . ,  F  —  1}  :  pi  =  j  does  not  hold. 
We  have  A  =  j  by  definition  of  the  counting  quantifier 
and,  hence,  nii  j  =  1  by  0.  Moreover,  we  have  1  %  £ 
{1, . . . ,  F  —  1}  :  pi  =  j  holds.  By  our  induction  hypothesis, 
we  derive  k  —  1  =  E»=i  mi,j’  that  is,  k  =  E»=i  mi,j- 
For  the  reverse  implication,  suppose  j ,  k  are  integers  such 
that  1  <  j  <  nc  —  1  and  k  =  E,_i  mi,j-  We  proceed  by 
induction  on  £.  In  the  base  case  (£  =  0),  we  have  k  =  0, 
hence,  3 =ki  £  { 1 , . . . ,  F}  :  A  =  3-  hi  the  inductive  case, 
we  distinguish  two  cases.  Case  I:  k  =  Ei=im©'-  We  have 
mej  =  0,  hence,  A  £  3  by  Q.  By  our  induction  hypothesis, 
we  have  3 =ki  £  {1, . . .  ,F  —  1}  :  Pi  =  j.  Since  A  £  h  the 
result  follows.  Case  II:  k  £  E;=i  rni.j-  Since  rrif  j  £  {0, 1}, 
we  have  mg  j  =  1,  hence,  A  =  3  by  0-  Moreover,  we  have 
k  —  1  =  E,:= l  mi,j-  By  our  induction  hypothesis,  we  derive 
3 =k~1i  £  {1,  1}  :  pi  =  j.  The  result  follows. 


the  counting  quantifier  and  we  derive  E"=i  1  mt,j  7^  0 

£  {0, 1},  we  have 


by  fl;  Moreover,  since  E"= 


E?=i  1  mt,j  =  1-  By  our  induction  hypothesis,  we  derive 


nc~  1 
i  m,j 


k  =  i  -  1  -  E"ff  ES  rmj  =  i  -  E-Z  1  ELi  ■ 

Case  II:  3 ~ki  £  { 1, . . . ,  F  —  1}  :  A  =  nC  does  not  hold. 
We  have  A  =  nC  by  definition  of  the  counting  quantifier 


and  we  derive  E  j=i  *  mi,j  =  0 


TjZ i  1  ™.,i  =  0  by  (jdji.  Moreover,  we  have 
3 ~k~1i  £  {1,  1}  :  pi  =  nc  holds.  By  our  induction 

hypothesis,  we  derive  k  —  \  =  £—\  —  EjZi1  E;=i  that 

is,  k  =  F  -  E^r1  Ei=i  ^  -  E^r1  Eli  '»©• 

For  the  reverse  implication,  suppose  k  =  £  — 

E jZi1  Ei=i  mi,j-  We  proceed  by  induction  on  £.  In  the  base 
case  (£  =  0),  we  have  k  =  0,  hence,  3=fci  £  {1, ...  A}  :  A  = 
nc-  In  the  inductive  case,  we  distinguish  two  cases.  Case  I: 


k  =  £  -  1  -  E"fi  1  Ei=i  mh3-  We  have  E"fi  1  me,j  =  1- 
Since  m^i, . . . ,  m^nc_i  £  {0,1},  there  exists  j  such  that 
1  <  j  <  nc  —  1  and  j  =  1,  moreover,  A  =  j  by 
0-  hence,  A  £  nC-  By  our  induction  hypothesis,  we  derive 
3=A  £  {1, ...  A  —  1}  :  A  =  tic-  The  result  follows.  Case  II: 


£-i 


nc  — 1 


h  £1-1-  E"fi  1  Ei=i  Since  E"f i  1  e  {A  1}, 

we  have  E^S”1  =  0,  and  we  derive  A  =  nC  by  Q. 

Moreover,  we  have  fc  —  1  =  ^  —  1  —  Ej^1  Ei=i  mi,i-  By 
our  induction  hypothesis,  we  derive  3=fe-1i  £  {1, ...  ,£  —  1}  : 
Pi  =  tic ■  The  result  follows. 


We  proceed  the  proof  of  Proposition  [XT]  using  the  above  facts. 
By  definition  of  the  verification  algorithm,  we  have 

AJE-1  VerDec((pMi[j]  ®  •••  ®  A[j],x[j]),p[j])  =  ia 

X[nc]  =  f  —  Ej={  1  X[j].  By  simulation  sound  extractability, 
we  have  for  all  1  <  j  <  nc  —  1  that  X[j]  =  Dec(pfc, 
sk,  bt  [j]  <g)  -  -  -  <g)  6f[j])  with  overwhelming  probability,  hence, 
X[j]  =  to i  j  ©  •  ■  ■  ©  to^  j,  with  overwhelming  probability.  Let 
ms  be  the  largest  integer  such  that  {0, . . . ,  ms}  C  m.  By 
definition  of  the  verification  algorithm,  we  have  £  <  tub ■  It 
follows  that  TOij  0  •  ■  ■  ©  mej  =  El=i  hence. 


l 

X[j]  =  mki 

»= i 

with  overwhelming  probability.  By  definition  of  function 
correct- tally,  0  and  Fact  [T]  we  have  Y  is  a  vector  of  length 
nc  such  that  for  all  1  <  p  <  nc  we  have 


Fact  3.  For  all  integers  k,  we  have 

nc~  1  ^ 

3 =ki  £  {1,  •  ■  •  A}  :  A  =  nc  k  =  £  -  ^  ^  mitj 

i= i  »=i 

Proof  of  Fact  [j]  For  the  forward  implication,  suppose  3=fei  £ 
{1,...  A}  :  Pi  =  tic-  We  proceed  by  induction  on  £. 
In  the  base  case  (£  =  0),  we  have  fc  =  0,  hence, 
k  =  £  —  E"fi_1  Ei=i  mi,j-  Ibe  inductive  case,  we 
distinguish  two  cases.  Case  I:  3 =ki  £  {1,...,F  ~  1}  : 
A  =  nC  holds.  We  have  A  £  nC  by  definition  of 


Y[p]  =  kif  3=kie{i,...,£}-.p  =  pi 

It  follows  by  Facts  [2]  and  [3]  that  for  all  1  <  P  <  nc  we  have 
X[/3]  =  Y[A  with  overwhelming  probability,  hence,  X  =  Y 
with  overwhelming  probability. 

We  have  X  =  Y  with  overwhelming  probability  in  both 
cases — i.e.,  Exp-UV-Ext(II,  A,k)  outputs  0  with  overwhelm¬ 
ing  probability  and  Succ(Exp-UV-Ext(II,  A,k))  is  negligible, 
concluding  our  proof.  O 
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C.  Election  verifiability 

By  Propositions [T6l&[T7|  election  schemes  constructed  from 
generalized  Helios  satisfy  election  verifiability  with  external 
authentication: 

Corollary  18.  Suppose  1,  Ei,  E2,  E3  and  'H.  satisfy  the 
preconditions  of  Figure  [7]  Further  suppose  that  T  is  collision- 
free  for  {0,1},  Ei,  E2  and  E3  satisfy  special  soundness  and 
special  honest  verifier  zero-knowledge,  and  FI  is  a  random 
oracle.  We  have  Helios(r,  E1:  E2,  E3, Tl)  satisfies  election 
verifiability  with  external  authentication. 


D.  Proof:  Theorem  [2] 

Our  proof  of  Theorem  [2]  is  reliant  on  Corollary  [TS]  We  have 
already  shown  that  the  sigma  protocol  used  by  Helios  4.0  to 
prove  discrete  logarithms  is  sufficient  to  ensure  that  El  Gamal 
is  collision-free  (Lemma |1 5[i,  hence,  it  remains  to  show  that  the 
sigma  protocols  used  by  Helios  4.0  satisfy  special  soundness 
and  special  honest  verifier  zero-knowledge. 

§4]  remark  that  the  sigma  protocols 


Bernhard  et  al.  20 


used  by  Helios  4.0  to  prove  discrete  logarithms  and  equality 
between  discrete  logarithms  both  satisfy  special  soundness  and 
special  honest  verifier  zero  knowledge,  hence.  Theorem  [9]  is 
applicable.  Bernhard  et  al.  also  remark  that  the  sigma  protocol 
for  proving  knowledge  of  disjunctive  equality  between  discrete 
logarithms  satisfies  special  soundness  and  “almost  special 
honest  verifier  zero  knowledge”  and  argue  that  “we  could 
fix  this[,  but]  it  is  easy  to  see  that  ...  all  relevant  theorems 
[including  Theorem  |9)  still  hold.”  We  adopt  the  same  and 
assume  that  Theoretnj9l  is  applicable. 
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Proof  of  Theorem  [2]  The  proof  follows  from  Corollary 
subject  to  the  applicability  of  Theorem[9]to  the  sigma  protocol 
used  by  Helios  4.0  to  prove  knowledge  of  disjunctive  equality 
between  discrete  logarithms.  □ 


Appendix  E 

Proof:  Helios  2.0  is  not  verifiable 

Bernhard  et  al.  ]20)  demonstrate  that  Helios  2.0  0  is 
not  verifiable  and  we  show  that  Helios  2.0  does  not  satisfy 
Ver-Ext. 

Definition  27  (Weak  Fiat-Shamir  transformation  [ 20 1).  The 
weak  Fiat-Shamir  transformation  is  a  function  wFS  that  is 
identical  to  FS,  except  that  it  excludes  statement  s  in  the 
hashes  computed  by  Prove  and  Verify,  as  follows:  chal  4— 
PL  (comm). 

Definition  28  (Helios  2.0).  Let  Hel ios  be  Helios  after  replac¬ 
ing  all  instances  of  the  Fiat-Shamir  transformation  with  the 
weak  Fiat-Shamir  transformation  and  excluding  the  (optional) 
messages  input  to  ProveCiph — i.e.,  ProveCiph  should  be  used 
as  a  binary  function.  Helios  2.0  is  Helios(T,  Ei,  E2,  E3,  Tl), 
where  T,  Ei,  E2,  E3  and  Tl  are  given  in  Definition  j26j 


Fig.  2  Adversary  against  Helios  2.0 


Given  a  security  parameter  k  as  input,  A  computes  primes  p 
and  1  such  that  p  =  2  •  q  +  1  and  q  is  of  length  k.  A  also 
computes  a  generator  g  of  the  multiplicative  group  Z*.  Let 
nc  4—  2  and  m  4—  N9_i,  moreover,  let  m  >  1  be  an  element 
of  m.  The  adversary  proceeds  as  follows: 

1  %coins 

2  (a0,h0,ai,M  4-r  Z^; 

3  %witnesses 

4  iof-  ga°  (mod  p); 

5  B0  <—  gb°  (mod  p); 

6  Ai  <r-  gai  (mod  p); 

7  Bi  <r-  gbl  (mod  p); 

8  %challenge  hash 

9  c<^'H(A0,B0,A1,B1)  (mod  q); 

10  %private  key 

'  ao-(l  — m)— ai-m  ^ 

12  %challenges 

13  ci  4-  fcl1~a^'a:  (mod  q)\ 

14  Co  i —  c  —  Ci  (mod  q)\ 

15  %coins 

16  r  -4—  R  Z q\ 

17  %responses 

18  /o  4-  a0  +  c0  ■  r  (mod  q); 

19  fi  -t—  a\  +  Ci  ■  r  (mod  q); 

20  %proof  of  plaintext  knowledge 

21  cr  4—  (Ao,Bo,co,fo,Ai,Bi,ci,fi)', 

22  %public  key 

23  h.4-  gx  (mod  p);  pk  4-  (p,  q,g,  h); 

24  %proof  of  correct  key  construction 

25  p  «—  ProveKey((lfc,  pk,  m),  (x,  r')); 

26  %ciphertext 

27  e  4—  ( gr  mod  p ,  hr  ■  gm  mod  p); 

28  %bulletin  board 

29  BB  4—  {(e,  cr,  cr)}; 

30  %tally 

31  X  <-  (m,  1  —  m); 

32  %proof  of  decryption 

33  P  i —  ( Prove  Dec  ((pfc,  e,  to),  x))\ 

34  return  ((pk,  m,  p),  BB,  nc,  X,  P) 

where  r'  is  computed  such  that  (pk,x,  m)  =  Gen(lfe;r'). 


Our  proof  of  Proposition  [T9]  formalizes  the  attack  by  Bernhard 
et  al.  p0]  §3]  in  the  context  of  our  universal  verifiability 
experiment. 

Proof.  Let  Vote  and  Tally  be  the  vote  and  tallying  algo¬ 
rithms  defined  by  Helios  2.0.  Moreover,  let  wFS(Ei,W)  = 
(ProveKey,  VerKey),  wFS(E2,7f)  =  (ProveCiph,  VerCiph) 
and  wFS(E3,"H)  =  (ProveDec, VerDec).  We  construct  an 
adversary  A  (Figure  [2}  against  the  universal  verifiability 
experiment. 

Suppose  an  execution  of  Exp-UV-Ext(n,  A,  k)  computes 


Proposition  19.  Helios  2.0  does  not  satisfy  Ver-Ext. 


(PKt,  BB,  nc,  X,  P)  -i—  A(k)\ 
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Y  •(—  correct- tally  (pk,  BB,nc,k) 


Furthermore,  we  have 


Since  m  >  1,  there  is  no  choice  /3  £  { 1 , 2} 
nor  coins  r  such  that  \Iote(PKp,  nc,  P,  k;  r)  £  BB. 
By  definition  of  function  correct-tally,  we  have  Y  = 
(0,0).  Moreover,  since  X  =  (m,  1  —  to),  we  have 

X  ^  Y  and  X[2]  =  1  —  X[l] .  Let  us  show  that 
\/erify(PK']-,  BB,  nc,  X,  P,  k)  =  1.  By  definition  of  Verify, 
we  have  PKj-  is  a  vector  (pk,m,p).  Moreover,  by  the  com¬ 
pleteness  of  (ProveKey,  VerKey)  and  (ProveDec,  VerDec),  we 
have  VerKey((lfc,  pk,  m),  p)  =  1  and  VerDec((pfc,  e,  X[l]), 
P[l])  =  1.  It  remains  to  show  that  BB  is  the  largest  subset 
of  BB  satisfying  the  conditions  given  by  the  Tally  algorithm. 
Since  BB  =  {(e,  a,  er)}  and  (e,  a,  er)  is  a  vector  of  length 
2- nc  —  1,  it  suffices  to  show  that  VerCiph((pfc,  e,  {0, 1}),  a)  = 
1.  Let  us  recall  the  definition  of  VerCiph  (cf.  [42]  Figure  1] 
and  Definition  [27}: 

•  VerCiph((pft,  e,  {0, 1}),  er).  Parses  pk  as  ( p,q,g,h ),  e 
as  ( R,S ),  and  cr  as  (A0,  B0,  c0,  /o,  A±,  Bu  ci,  /i),  out- 
putting  0  if  parsing  fails.  If  gf°  =  Aq  ■  Rc°  (mod  p)  A 
hf°  =  B0-Sc°  (mod  p)f\gB  =  A\-RCl  (mod  p)Ah B  = 
Bx  ■  ( S/g)Cl  (mod  p)  A  fl(A0,  B0,  A±,  Bx)  =  c0  +  ci 
(mod  p),  then  output  1,  otherwise,  output  0. 

We  have 

gfo  =  gao+co-r  =  ga0  .  (gry0  =  .  Rc0  (mod 

gh  =  gai+Cl'r  =  gai  ■  ( gr)Cl  =  At  •  i?Cl  (mod  p) 


R  (A) ,  B0 ,  Ai ,  Bi )  =  Co  +  ci  =  c-  ci  +  ci 

=  ?ft(Ao,  A,  AAi)  -  ci  +  ci  (mod  p) 

It  follows  that  VerCiph((pfc,  e,  {0, 1}),  cr)  =  1,  concluding  our 
proof.  □ 


Appendix  F 

Proof:  Exp-EV-Int  =>  Exp-IV-Int 


Our  eligibility  verifiability  experiment  (§IV-B3 1  asserts  that 
no  one  can  construct  a  ballot  that  appears  to  be  associated 
with  public  credential  pk  unless  they  know  private  credential 
sk.  It  follows  that  a  voter  can  uniquely  identify  her  ballot 
on  the  bulletin  board,  because  no  one  else  knows  her  private 
credential.  Eligibility  verifiability  therefore  implies  individual 
verifiability  (Theorem  |4}. 

Our  proof  of  Theorem  [4]  is  reliant  on  distinct  credentials, 
which  is  an  consequence  of  eligibility  verifiability: 


Lemma  20.  If  an  election  scheme  II  satisfies  strong  eligibility 
verifiability,  then  there  exists  a  negligible  function  p,  such  that 
for  all  security  parameters  k,  we  have 


Pr[{PKj- ,  SKp,  ms,  me)  A-  Setup(fc); 

(pk0,sko)  A-  Register  (PI\p,k); 

(pk1,sk i)  A-  Register  (PKp,k)  : 

sko  =  sfci]  <  p(k) 


Moreover,  we  have  ft/0  =  gx(a°+co-r)  (mod  p)  and  Bq-Sc°  = 
gb0+c0(x-r+m)  (mod  pf  hence,  to  show  h^°  =  Bq  ■  Sc° 
(mod  p ),  it  is  sufficient  to  show  (bo+co-m)  =  x-ao  (mod  g): 

b0  +  c0  •  TO 
=  bo  +  c  •  to  —  TO  •  Cl 
=  bo  +  c  ■  TO  -  L-m-oi-m-T 
—  (bo+c-m)(l— m)— b\-m-\-a\-m-x 
1 —m 

(bo+C-m)(l  — m)— bi-m+  ai  m 

1—m 

_  (ao  (1— m)  —  cli  -m)((6o+c-m)(l— m)  —  bi -m) 

(1— m)(ao(l— m)—  a\-m) 

.  ai •m((bo+c-m)(l— m)  —  b\-m) 

'  (l—m)(ao(l—m)—ai-m) 

_  ao(l—m)((bQ-\-c-m)(l—m)  —  bi-m) 

(1— ra)(ao(l— m)  —  a±-m) 

_  QQ-((bo+c-m)(l— m)  —  b\-m) 
ao(l—m)—ai-m 

=  x  ■  a0  (mod  q) 

Similarly,  hfl  =  gA^+^-r)  (mod  p)  and  B1  ■  ( S/g)Cl  = 
gbx+cpx-r+m-i)  (mod  p ^  hence,  to  show  ft/1  =  B\  ■  ( S/g)Cl 
(mod  p ),  it  is  sufficient  to  show  b\  +  C\ (to  —  1)  =  a\  ■  x 
(mod  q ): 

fti  +  ci  (to  —  1) 

_  /  (m-l)(bi-ai-x) 

t  '  1  —  m 

_ bi(l—m)-\-(m—l)(bi  —  ai-x) 

1  —  m 

_  ai-x(l-m) 

1—m 

=  ai  •  x  (mod  q) 


Proof.  Suppose  an  election  scheme  II  satisfies  Exp-EV-Int, 
but 

Pr^PKp,  SKp,  ms,  me)  4—  Setup(fc); 

(pk0,sko)  4—  Register (PK-p,  k); 

(pk1,ski)  4—  Reg\ster(PKp,k)  : 

sko  =  sfti]  >  -jyr 
P\k) 

for  some  polynomial  p  and  security  parameter  k.  Then  we  can 
construct  an  adversary  A  that  wins  Exp-EV-Int  as  follows. 
Adversary  A  is  given  input  k  and  runs  Setup  to  obtain  a  key 
pair  (PKp,  SKp),  chooses  some  positive  integer  ny,  and 
outputs  ( PKp,ny ).  The  challenger  then  generates  ny  key 
pairs  and  gives  the  set  L  of  public  keys  to  A.  Now  A  simply 
runs  Register (PKpA)  to  get  a  key  pair  ( pk,sk ),  chooses 
some  positive  integers  nc  and  /3  such  that  1  <  ft  <  nc, 
computes  b  A-  Vot e(sk,  PKp,  nc,  ft,  k),  and  outputs  (nc,  b). 
We  know  that  secret  keys  generated  by  Register  collide  with 
probability  at  least  ^ W,  so  Register  must  generate  a  particular 
secret  key  sk'  with  probability  jpypy-  Therefore,  this  sk'  will 
correspond  to  one  of  the  public  keys  in  L  with  probability  jyfy- 
Furthermore,  the  key  sk  generated  by  the  adversary  will  be  sk' 
with  probability  Therefore,  ft  will  be  a  vote  constructed 
under  a  voter’s  secret  key  with  probability  so  A  wins 

the  experiment  with  non-negligible  probability.  □ 
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A.  Proof:  Theorem  [7] 

Suppose  there  exists  an  adversary  A!  that  wins 
Exp-IV-lnt(II,  A!,  k)  with  probability  for  some  polyno¬ 
mial  p.  Then  we  can  construct  an  adversary  A  that  wins 
Exp-EV-lnt(II,  A,  k)  with  non-negligible  probability.  Adver¬ 
sary  A  is  given  k  as  input,  which  it  passes  to  A'.  Adversary 
A!  may  ask  for  secret  keys  from  its  oracle  C,  in  which  case  A 
forwards  these  queries  to  its  own,  identical  oracle.  Adversary 
A  then  forwards  the  oracle’s  response  back  to  A! .  Adversary 
A!  then  outputs  (PK p,  ny),  which  is  then  output  by  A.  Next, 
A  is  given  the  public  keys  (phi, . . .  ,pknv).  Adversary  A 
passes  these  keys  to  A',  which  returns  (nc,  0, 0' ,i,  j).  Any 
oracle  queries  made  by  A!  are  handled  exactly  as  before. 
Now  A  queries  its  oracle  C  on  i.  The  oracle  returns  ski. 
Adversary  A  computes  b  =  Vote(s&i,  PKp,  nc,  0)  and 
outputs  (nc,  0' ,  j,  b).  Adversary  A!  wins  Exp-IV-lnt(II,  A, 
k)  with  non-negligible  probability,  so  with  non-negligible 
probability  b  =  Vote (skj,  PKp,  nc,  0')  and  A!  (and  therefore 
A)  did  not  query  the  oracle  on  input  j.  Adversary  A  only 
makes  one  additional  oracle  query  on  input  i,  so  again,  A 


does  not  query  the  oracle  on  j.  Furthermore,  by  Lemma  20 


ski  =  skj  with  only  negligible  probability.  Therefore  A  wins 


Exp-EV-lnt(II,  A,  k)  with  probability 

Appendix  G 
JCJ  Scheme 


negl(fc).  □ 


We  formalize  a  generic  construction  for  JCJ-like  election 
schemes  (Figure  |3j.  Our  construction  is  parameterized  on 
the  choice  of  homomorphic  encryption  scheme  and  sigma 
protocols^]  The  specification  of  algorithms  Setup,  Register 
and  Vote  follow  from  our  informal  descriptions  (fV[>Pl  The 
tallying  algorithm  performs  the  following  steps: 

1)  Remove  invalid  ballots:  The  tallier  discards  any  ballots 
from  the  bulletin  board  for  which  proofs  do  not  hold. 

2)  Eliminating  duplicates:  The  tallier  performs  pairwise 
PETs  on  the  encrypted  credentials  and  discard  any  ballots 
for  which  a  test  holds,  that  is,  ballots  using  the  same 
credential  are  discarded  FI 

3)  Mixing:  The  tallier  mixes  the  ciphertexts  in  the  ballots 
(i.e.,  the  encrypted  choices  and  the  encrypted  credentials), 
using  the  same  secret  permutation  for  both  mixes,  hence, 
the  mix  preserves  the  relation  between  encrypted  choices 
and  credentials.  Let  Ci  and  C2  be  the  vectors  output  by 
these  mixes.  The  tallier  also  mixes  the  public  credentials 
published  by  the  registrar.  Let  C3  be  the  vector  output 
by  this  mix. 

4)  Remove  ineligible  ballots:  The  tallier  discards  ciphertexts 
Cx  [z]  from  CL  if  there  is  no  ciphertext  c  in  C3  such  that 


’Tor  brevity,  the  encryption  scheme’s  message  space  m  is  assumed  to 
contain  (1, . . . ,  |m| }. 

’-’Algorithm  Setup  bounds  the  maximum  number  of  voters  to  a  polynomial 
in  the  security  parameter  to  ensure  that  private  voter  credentials  do  not  collide, 
with  overwhelming  probability. 

34JCJ  permits  revoting;  ballots  are  removed  in  accordance  with  a  revoting 
policy  (79|  §4.1],  Since  election  schemes  that  permit  revoting  cannot  satisfy 
our  definition  of  universal  verifiability  (§IV-B2[.  we  assume  that  the  revoting 
policy  forbids  revoting,  i.e.,  ballots  using  the  same  credential  are  discarded. 


a  PET  holds  for  c  and  C2  [*],  that  is,  ballots  cast  using 
ineligible  credentials  are  discarded. 

5)  Decrypting:  The  tallier  decrypts  the  remaining  encrypted 
choices  in  Ci  and  proves  that  decryption  was  performed 
correctly.  The  tallier  identifies  the  winning  candidate  from 
the  decrypted  choices. 

The  Verify  algorithm  checks  that  each  of  the  above  steps  has 
been  performed  correctly. 

Lemmata  21  23  demonstrate  that  generalized  JCJ  is  a 
construction  for  election  schemes. 


Lemma  21.  Suppose  T,  Si,  S2,  S3,  S4,  S5,  Sg  and  PL  satisfy 
the  preconditions  of  Figure  [i]  We  have  JCJ(T,  Si,  S2,  S3,  S4, 
Y,§,Y,q,PL)  satisfies  Correctness. 

Proof  Our  proof  is  by  induction  on  the  number  of  ballots 
ns-  We  start  with  the  base  case,  ng  =  1.  For  all  k,nc,  and 
0  €  {1, . . . ,  nc},  we  have 

(PK-j-,  SKp,  mB,mc)  <—  Setup(fc); 

( pk,sk )  4—  Register  (PKp,  fc); 
b  4—  Vote(sA;,  PKp,  nc,  ft,  k)\ 

Y[/3]  <-  Y\0]  +  1; 

L  4-  {pk}; 

BB  <-  {b}; 

(X,  P)  <-  Tally(PXr,  SKr,  BB ,  L,  nc,  k); 

Assume  nc  <  me  (otherwise,  we  trivially  satisfy  correct¬ 
ness).  Hence,  we  need  to  show  X[/3]  =  1  and  X[i]  =  0 
for  all  *  yf  /3.  By  definition  of  Setup,  we  have  PK 7-  = 
(pkT,m,p)  and  me  =  |m|.  By  definition  of  Vote,  we 
have  b  =  (ci,  c2,  <7, r),  where  ci  =  Enc(pfcr,  0;  n),  c2  = 
Enc(pfcT,  sk;  r2),  a  =  ProveCiph((pfcT,  c\,  {1,  . . . ,  nc}), 
(0 Ax)),  and  r  =  ProveBind((pfcT,  ci,  c2),  (0,  r1;  sk,  r2)). 
Since  0  £  {1,  . . . ,  nc}  and  nc  <  |m|,  we  have  0  is  a  message 
in  T’s  message  space 

•  Remove  invalid  ballots:  This  involves  checking  the  proofs 
er  and  r.  Since  they  were  honestly  computed,  they  verify 
with  overwhelming  probability. 

•  Remove  duplicate  ballots:  Tally  would  check  here  if  there 
are  multiple  ballots  computed  using  the  same  secret  key. 
Since  there  is  only  one  ballot,  this  check  passes  trivially. 

•  Mixing:  Tally  mixes  the  ballots.  Since  there  is  only  one 
ballot.  Tally  will  just  re-encrypt  the  ballot.  Let  the  re¬ 
encryptions  of  6[1]  and  b  [2]  be  6' [1]  and  b'[ 2],  respectively. 
This  is  done  honestly,  so  6'[1]  will  still  be  an  encryption 
of  0  and  b'[ 2]  will  still  be  an  encryption  of  sk. 

•  Remove  ineligible  ballots:  As  mentioned,  b'  [2]  is  still  an 
encryption  of  sk,  which  is  a  valid  secret  key,  so  the  ballot 
is  not  eliminated. 

•  Decrypting:  Finally,  Tally  computes  0'  4- 

Dec(pkT,  SKj-,  b' [1]).  Again,  since  £»' [1]  is  still  an 
encryption  of  0,  we  have  0'  =  0.  Tally  then  increments 
X[0\  by  1. 

Since  we  now  have  X[/3]  =  1  and  X[z]  =0  for  all  i  yf  0,  we 
have  that  JCJ  satisfies  correctness  when  ns  =  1. 
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Fig.  3  Generalized  JCJ 

Suppose  r  =  (Gen,  Enc,  Dec)  is  a  multiplicatively  homomorphic  asymmetric  encryption  scheme  with  a  message  space  over 
h*m  for  some  integer  mn  determined  by  the  security  parameter,  e  is  an  identity  element  of  l’’s  message  space  with  respect  to  ©, 
Si  proves  correct  key  construction,  E2  proves  plaintext  knowledge  in  a  subspace,  E3  proves  conjunctive  plaintext  knowledge, 
E4  proves  correct  decryption,  E5  is  a  PET,  Eg  is  a  mixnet,  and  Ti  is  a  hash  function.  Let  F S (E 1 , ?-/,)  =  (ProveKey,  VerKey), 
FS(E2,"H)  =  (ProveCiph,  VerCiph),  FS(E3,?f)  =  (ProveBind,  VerBind),  FS(E4,"H)  =  (ProveDec,  VerDec),  FS(E5,H)  = 
(ProvePET,  VerPET),  and  FS(Eg,"H)  =  (ProveMix,  VerMix).  We  define  generalized  JCJ  JCJ(T,  Ei,  E2,  E3,  E4,  E5,  Eg,  H)  = 
(Setup,  Register,  Vote,  Tally,  Verify)  as  follows. 

•  Setup(fc).  Select  coins  r,  compute  (pkT,skx,  rn)  Gen(lfe;  r);  p  A-  ProveKey((lfe,  pkTl  m),  (skr,  r));  PKj-  £- 
(pkT,m,  p)',mc  t—  |m|,  and  output  (PKp,  skT,poly(k),mc)- 

•  Register (PKp,  k).  Parse  PKj-  as  ( pkT ,  m,  p),  outputting  (_L,  _L)  if  parsing  fails  or  VerKey((lfe,  pkT,  m),  p)  7^  1.  Compute 
d  £-r  m ;pd  £-  En c(pkT,  d)  and  output  ( d,pd ). 

•  Vote(d,  PKp,  nc,  fd,  k).  Parse  PKj-  as  a  vector  (pkT,m,  p),  outputting  _L  if  parsing  fails  or  VerKey((lfe,  pkT,  m),  p)  7^ 
1V/3  ^  {1, . . . ,  nc}V{l, . . .  ,nc}  2  m-  Select  coins  r\  and  r2,  compute  ci  <-  En c(pkT,  /3;  ri);  C2  <-  En c(pkT,  d;  r2);  a  <— 
ProveCiph((pA;T,  Ci,  {1, . . . ,  nc}),  (S3,  ri));  r  £-  ProveBind((pA:T,  Ci,  c2),  (/?,  j*i,  d,  r2))  and  output  ballot  (ci,  c2,  a,  r). 

•  Ta\\y(PKp,  skx,  BB,  L,  nc,  k).  Initialize  vectors  X  of  length  nc  and  P  of  length  9.  Parse  PK 7-  as  ( pkT ,  m,  p).  Compute 
for  1  <  j  <  nc  do  X[j]  0.  Proceed  as  follows. 

1)  Remove  invalid  ballots:  Let  {hi, . . . ,  be}  be  the  largest  subset  of  BB  such  that  for  all  1  <  i  <  £  we  have  6,;  is  a  vector  of 

length  4  and  VerCiph((pfcT,  6*[1],  {1, . . . ,  nc}),  &i[3])  =  1 A  VerBind((pfcT,  6* [1] ,  6* [2]),  6* [4])  =  1.  If  {hi, . . .  ,be}  =  0, 

then  output  (X,  P). 

2)  Eliminating  duplicates:  Initialize  Pdupi  as  a  vector  of  length  L  For  each  !<*<£,  if  there  exists  a  and  j  £ 
{ 1 , . . . , i  —  1,  i  +  1,  ...,£}  such  that  a  <—  ProvePET((pfcT,  hj[2],  bj [2],  1),  skr)  and  VerPET((pfcT,  hj[ 2],  bj [2],  1),  a)  = 
1,  then  assign  Pdupi[*]  •<—  (cr);  otherwise,  compute  <jj  £-  P rove P ET( (pkT,  bi [2],  bj  [2],  0),  skr)  for  each  j  £ 
{1, . . . ,  i  —  1,  i  +  1, . . . ,  (■}  and  assign  Pdupi[*]  A-  (cri, . . . ,  <Tj_i,  crj+i, . . . ,  af).  Let  BB  be  the  empty  vector  and 
compute  for  1  <  i  <  l  A  Pdupi [t]  =  (.  —  1  do  BB  -s—  BB  ||  (pi),  where  BB  ||  (bi)  denotes  the  concatenation  of 
vectors  BB  and  (hi),  i.e.,  BB  ||  (hi)  =  (BB[1], . . . ,  BB[|BB|],  h,;). 

3)  Mixing:  Suppose  BB  =  (b}, . . . ,  h|BB. ).  Select  a  random  permutation  x  011  {1,  •  ■  • ,  | BB | },  initialize  Ci,  C2, 

1-4  and  r2  as  vectors  of  length  |BB|,  and  fill  r!  and  r2  with  random  coins.  Compute  for  1  <  1  < 

|BB|  do  Ci[x(i)]  «-  h'[l]  ©  Enc(PXr,  e;  ri[i]);  C2[x(*)]  <-  b'^2]  ©  Enc(PJfr,  c;  r2[*])  and  Pmix,  1  «- 
ProveMix((pfcT,  (h'Jl], . . . ,  h[BB|  [1]),  Ci),  (ri,  x));  Pmix, 2  <-  ProveMix((pfcT,  (hi [2], . . . ,  hjBB|  [2]),  C2),  (r2,  x)). 

Similarly,  select  a  random  permutation  011  { 1 ,  -  -  - ,  |  Pj } ,  initialize  C3  and  r3  as  vectors  of  length  \L\,  fill 
r3  with  random  coins,  and  compute  for  1  <  i  <  \L\  do  C,‘aW  (j)\  •<—  L[i]  ©  Enc(PX7-,  e;  rs[i])  and 
Pmix, 3  ProveMix((pfcT,  L),  (r3,  x'))- 

4)  Remove  ineligible  ballots:  Initialize  Pineiig  as  a  vector  of  length  |C2|.  For  each  1  <  1  <  |C2|,  if  there  exists  a 

and  c  £  C3  such  that  <7  4—  ProvePET((pfcT,  C2[i],  c,  1),  skr)  and  VerPET((p£T,  C2 [z] ,  c),  cr)  =  1,  then  assign 

Pineiigt*]  (cr);  otherwise,  compute  <jj  £-  ProvePET((pA;T,  C2[i],  C3[j],  0),  skr)  for  each  j  £  { 1 , . . . ,  | C3 1 }  and 
assign  Pi„eiig[*]  <-  (04,  ■  ■  - ,  cr|C3|)- 

5)  Decrypting:  Initialize  Pdec  as  the  empty  vector.  Compute  for  1  <  i  <  | Cj. |  A  Pineiig ['<](  =  1  do  /5  f- 

Dec(pfcT,  skT,  Ci [i]);  cr  <-  ProveDec((pfcT,  Cx  [i],  /?),  skT ):  X[/J]  <-  X[/3]  +  1;  Pdec  <-  Pdec  ||  (cr). 

Assign  P  i  (Pdupi ,  Cl ,  Pmix,l ,  ^2  ;  Pmix, 2  ,  ^3 ,  Pmix, 3 ,  Pineiig  i  Pdec  )  and  Output  (X,  P). 

•  Verify(PPT7-,  BB,  L,  nc,  X,  P,  k).  Parse  PK  j-  as  a  vector  (pkT,m,  p),  X  as  a  vector  of  length  nc,  and  P  as  a  vector 
(Pdupi  ■  GI 1 .  Pmix,  1  ,^2,  Pmix, 2  ,  C3,Pmix,3,  Pineiig,  Pdec),  outputting  0  if  parsing  fails  or  VerKey((lfc,  pkT,  m),  p)  ^  1. 
Let  me  =  |m|.  If  nc  >  me,  then  output  0.  Otherwise,  perform  the  following  checks: 

1)  Check  removal  of  invalid  ballots:  Compute  {hi, . . . ,  be}  as  per  Step  (|TJ»  of  the  tallying  algorithm.  If  {hi, . . . ,  be}  =  0 
and  X  is  a  zero-filled  vector,  then  output  1.  Otherwise,  proceed  as  follows. 

2)  Check  duplicate  elimination:  Check  that  Pdupi  is  a  vector  of  length  £  and  that  for  all  1  <  i  <  £,  either:  i)  | Pdupi  [*]|  = 

1  and  there  exists  j  £  {1, . . . ,  i  —  1,  *  +  1, . . . , £}  such  that  VerPET((pfcT,  h*[2],  hj[2],  1),  Pdupi[*][l])  =  1,  or  ii) 

| Pdupi [i] |  =  l  -  1  and  for  all  j  £  {1,. . .  ,i  -  l,i  +  1, . . .  ,£}  we  have  VerPET((pfcr,  h* [2] ,  bj[2],  0),  Pdupi [»][?'])  =  1- 

3)  Check  mixing:  Compute  BB  as  per  Step  (|2|  of  the  tallying  algorithm,  suppose  BB  =  (hj , . . . ,  h(BB  ),  and  check 
that  VerMix((p/cT,(h,i[l],...,hjBB|[l]),Ci)7Pmix,i)  =  1  A  VerMix((pfcT,  (hi  [2], . . . ,  hjBB|  [2]),  C2),  Pm«i2)  =  1  A 
VerMix((pfcr,L,  C3),Pmix.i3)  =  1. 

4)  Check  removal  of  ineligible  ballots:  Check  that  Pineiig  is  a  vector  of  length  |C2|  and  that  for  all  1  <  i  <  |C2|, 

either:  i)  | Pineiig [*] |  =  1  and  there  exists  c  £  C3  such  that  VerPET((pfcT,  C2[i],  c,  1),  Pineiig [*][1])  =  1,  or  ii) 

| Pineiig [*] |  =  |C3|  and  for  all  1  <j<  |C3|  we  have  VerPET((pA:T,  C2[i],  C3[j],  0),  Pineiig[i][j])  =  1. 

5)  Check  decryption:  Compute  C{  as  follows:  C{  ■<—  ();  for  1  <  i  <  |Ci|  A  | Pineiig [*]|  =  1  do  C'i  ■<—  C{  ||  (Ci[i]). 

Check  that  there  exists  /3i, . . .  such  that  X[i]  =  |{j  :  1  <  j  <  |C'i|  A  /3j  =  i}|  and  for  all  1  <  *  <  |C'i|  we  have 

VerDec((pfcT,Ci[i],/3i),Pdec[i])  =  1. 

Output  0  if  any  of  the  above  checks  do  not  hold.  Otherwise,  if  all  the  above  checks  succeed,  output  1. 


Now  we  assume  that  JCJ  is  correct  for  =  n,  and 
prove  that  it  satisfies  correctness  for  ub  =  n  +  1.  First, 
we  note  that  since  we  are  only  adding  one  more  vote,  and 
therefore  only  registering  one  more  key  pair,  the  probability 
that  skn+ 1  =  ski  for  some  i  £  {1, . . .  ,tib}  is  negligible, 
since  JCJ  ensures  that  ns  is  bounded  by  a  polynomial  in  k 
and  the  secret  keys  are  just  random  nonces.  Now  it  is  easy  to 
see  that  the  only  step  of  Tally  that  we  need  to  be  concerned 
about  is  the  step  in  which  duplicate  ballots  are  removed.  This 
is  because  the  checks  performed  in  the  other  steps  all  pass 
with  overwhelming  probability  when  the  computation  is  done 
honestly.  In  the  step  to  remove  duplicate  ballots,  we  need 
to  make  sure  that  there  are  not  multiple  ballots  computed 
using  skn+ 1.  As  we  argued  above,  skn+ 1  is  unique  among 
the  secret  keys,  so  the  ballot  computed  using  skn+±  will  not 
be  removed,  and  we  will  get  that  X  =  Y.  Therefore,  JCJ 
satisfies  correctness.  0 

Lemma  22.  Suppose  T,  Si,  E2,  S3,  E4,  S5,  Eg  and  T~L  satisfy 
the  preconditions  of  Figure  [i]  We  have  JCJ(T,  Si,  E2,  E3,  E4, 
satisfies  Completeness. 

Proof  Let  JCJ(T,  E1;  S2,  S3,  E4,  S5,  E6,  H)  =  (Setup, 
Register,  Vote,  Tally,  Verify),  FS(Ei,"H)  =  (ProveKey, 
VerKey),  FS(E4,"H)  =  (ProveDec,  VerDec),  FS(E5,'H)  = 
(ProvePET,  VerPET),  and  FS(Eg,"H)  =  (ProveMix,  VerMix). 
Suppose  k  is  a  security  parameter,  BB  is  a  bulletin  board, 
and  nc  is  an  integer.  Further  suppose  (PKp,  SKp)  is  a 
key  pair,  ms  and  me  are  integers,  L  is  an  electoral  roll 
(i.e.,  a  set  of  public  keys  output  by  Register),  and  (X,  P) 
is  a  tally,  such  that  (PKj-,  SKp,mB,rric)  4—  Setup(Jc) 
and  (X, P)  4—  Ta\\y(PKp,  SKp,  BB ,  L:nc,  k).  Moreover, 
suppose  nc  <  me-  By  definition  of  Setup,  there  exist 
coins  r  such  that  (pk,  SK 7-,  m)  =  Gen(lfc;r),  PK 7-  ■£- 
(pk,m,  p),  and  me  =  |tn|,  where  p  is  an  output  of 

ProveKey((lfe,  PKp,  m),  (SKp,  r)).  Since  nc  is  at  most  |m|, 
we  have  that  any  /?  £  {1, . ..  ,nc}  is  in  T’s  message  space. 
Moreover,  by  the  definition  of  Tally,  vector  X  is  of  length 
nc  and  P  is  a  vector  (Pdupi,  Ci,  Pmix,i,  C2  ,  Pmix, 2,  GJ3  ■ 
Pmix, 3,Pineiig,Pdec).  It  follows  that  Verify  can  parse 
P  and  X  successfully.  Moreover,  by  completeness  of 
(ProveKey,  VerKey),  we  have  VerKey((lfc,  pk,  m),  p)  =  1 
with  overwhelming  probability.  Suppose  {61;...,6;}  is  the 
largest  subset  of  BB  satisfying  the  conditions  given  by  al¬ 
gorithm  Tally.  If  {hi,...,  bi}  =  0,  then  X  is  a  zero-filled 
vector  and  Verify  accepts,  concluding  our  proof.  Otherwise, 
we  proceed  by  showing  that  checks  ©-<0  of  Verify  succeed: 

•  Check  duplicate  elimination.  The  check  succeeds  by  com¬ 
pleteness  of  (ProvePET,  VerPET),  namely,  for  all  1  < 
i  <  £  we  have  either:  i)  |Pdupi[*]|  =  1  and  there  exists 
j  €  {1, ...  ,i  —  l,i  +  l, . . .  ,£}  such  that  VerPET ((PAT 7-, 
6i[2],hj[2],l),Pdupi[*][l])  =  1;  or  ii)  |Pdupi[*]|  =£-l 
and  for  all  j  £  {1, . . . ,  i  —  1,  i  +  1, . . . ,  £}  we  have 
VerPET((PXr,6i[2],^[2],0)),Pdupl[f][j])  =  1. 

•  Check  mixing.  Suppose  BB  =  (If, ... ,  lfBBf.  Then  by 
the  completeness  of  (ProveMix,  VerMix),  we  have  that 


VerMix((PXr,  (h'Jl], . . . ,  b'  [1]),  C±),  Pmix>1)  =  1  A 
VerMix((PPr,  (6{[2], . . .  ,hjBB|[2]),  C2),Pmix,2)  =  1  A 
VerMix((PPr,  L,Ca),Pmix>3)  =  1. 

•  Check  removal  of  ineligible  ballots.  By  Step  (4)  of  Tally, 
we  have  Pineiig  is  a  vector  of  length  |C2|.  Moreover, 
by  completeness  of  (ProvePET,  VerPET),  for  all  1  < 
i  <  C2  we  have  either:  i)  |Pineiig[*]|  =  1  and  there 
exists  c  £  C3  such  that  MerPET  ((PKp,  C2[i],  c,  1), 
Pineiig  [*][!])  =  1;  01-  ii)  I  Pineiig  [i]  I  =  |C3|  and  for  all 
1  <  j  <  |C3|  we  have  VerPET((PA'r,  C2[i],  C3[j],  0), 
Pineiig  [*][.)])  =  1-  It  follows  that  the  check  succeeds. 

•  Check  decryption.  Verify  computes  the  set  C{  such 
that  it  includes  only  elements  c,  of  Ci  for  which 
|P ineiig [f] |  =  1.  Then,  by  the  definition  of  Tally  and 
the  completeness  of  (ProveDec,  VerDec),  we  have  that 
VerDec((PA'7-,C'1[i],/3i),P[9][f])  =  1  for  all  1  <  i  < 
ICjl.  Furthermore,  in  step  5  of  Tally,  ballots  Cj [*]  are 
only  counted  for  a  candidate  when  1  <  i  <  |Ci|  A 
|P ineiig  [f]  |  =  1,  which  is  exactly  how  is  defined. 
Therefore,  there  exists  fii, . . .  /3\c'  \  such  that  X[i]  =  \{j  : 
1  <  J  <  |Ci|  A  =  f}|. 

It  follows  that  all  the  required  checks  succeed  and  Verify 
outputs  1,  concluding  our  proof.  □ 


Lemma  23.  Suppose  T,  EB  E2,  E3,  E4,  E5,  Eg  and  B 
satisfy  the  preconditions  of  Figure  [3]  Further  suppose  I 
is  collision-free.  We  have  JCJ(F,  Ei,  E2,  E3,  E4,  E5,  Eg,  FI) 
satisfies  Injectivity. 


The  proof  of  Lemma  23  is  similar  to  the  proof  of  Lemma  14 


Proof  sketch.  Generalized  JCJ  ballots  contain  encrypted 
choices,  hence,  collision-freeness  of  the  encryption  scheme 
ensures  that  distinct  choices  are  not  mapped  to  the  same 
ballot.  □ 


Generalized  JCJ  can  be  instantiate  to  derive  JCJ: 


Definition  29  (JCJ).  JCJ  / 79 J  is  JCJ(r,  Ei,  E2,E3,  E4,E6, 
Eg  1ji),  where  T  is  a  modified  version  of  El  Gamal 
invented  by  duels  et  al.  /[79|  §4/  that  can  be  seen  as  a  sim¬ 
plified  version  of  Cramer— Shoup  Ei  is  the  proof  of  key 

construction  by  Gennaro  et  al.  E4  is  the  conjunction  EB 
of  two  Schnorr  proofs  104 E5  is  the  PET  by  MacKenzie  et 
al.  Eg  is  either  the  mixnet  of  Furukawa  and  Sako 
or  Neff  {96|(,  and  jj  is  a  random  oracle,  duels  et  al.  leave  E 2 
and  E3  unspecified. 

Juels  et  al.  [79]  do  not  mandate  particular  cryptographic  prim¬ 
itives,  so  Definition  [29]  might  be  seen  more  as  an  instantiation 
of  their  scheme  than  an  exact  recollection  of  it.  We  assume  that 


the  primitives  in  Definition  29  satisfy  the  properties  required 
by  generalized  JCJ.  We  also  assume  that  the  sigma  protocols 
satisfy  special  soundness  and  special  honest  verifier  zero- 
knowledge,  hence.  Theorem  [9]  is  applicable. 

To  show  that  JCJ  is  an  election  scheme,  we  must  demon¬ 
strate  that  Correctness,  Completeness  and  Injectivity  are  sat¬ 


isfied.  Correctness  follows  immediately  from  Lemma  21  and 
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Completeness  follows  from  Lemma  22  We  show  that  Injec¬ 
tivity  is  also  satisfied. 

A  non-interactive  proof  system  derived  from  a  sigma  proto¬ 
col  for  proving  correct  key  construction  is  sufficient  to  ensure 
that  El  Gamal  is  collision-free: 


Lemma  24.  Suppose  Si  is  a  sigma  protocol  that  proves 
correct  key  construction  and  PL  is  a  hash  function.  Let  FS(£i, 
77)  =  (ProveKey,  VerKey).  Further  suppose  for  all  security 
parameters  k,  public  keys  pk,  message  spaces  m  and  proofs 
p,  we  have  VerKey((lfc,  pk.  m),  p)  =  1  implies  ft  ^  0,  there 
exists  p,  q,  g  and  h  such  that  pk  =  (p,  q ,  g ,  h)  and  (p,  q ,  g)  are 
cryptographic  parameters,  and  m  =  {1, . . .  ,p—  1}.  It  follows 
that  multiplicatively  homomorphic  El  Gamal  is  collision-free 
for  mi ,  m2  G  m. 


The  proof  of  Lemma  24  is  similar  to  the  proof  of  Lemma  15 


Proof.  Suppose  k  is  a  security  parameter,  pk  is  a  public 
key,  m  is  a  message  space,  p  is  a  proof,  mi ,  777-2  £  m  are 
messages  and  ri  and  72  are  coins  such  that  VerKey((lfe, pk, 
m),  p)  =  1,  mi  /  m2  V  n  /  r2,  m  =  {1, . . .  ,p  —  1},  and 
pk  =  (p,  q ,  <7,  h)  for  some  p,  q,  g  and  h.  Further  suppose 
that  ci  and  C2  are  ciphertexts  such  that  ci  =  Enc(pft,  mi;  74), 
C2  =  Enc(pfc,  m2;  72),  and  Enc  is  El  Gamal’s  encryption 
algorithm.  If  r\  f  72,  then  we  proceed  as  follows.  By  def¬ 
inition  of  Enc,  we  have  Ci[l]  =  gri  (mod  p)  and  C2[l]  =  gr2 
(mod  p).  Since  ri  and  72  are  distinct,  we  have  gri  ^  gT2 
(mod  p).  (We  implicitly  assume  that  coins  71  and  72  are 
selected  from  the  coin  space  Z*,  hence,  gri  =  gri  mod  p 
and  g7"2  =  gr2  mod  p.)  It  follows  that  ci  yf  C2.  Otherwise 
(7 1  =  72),  we  have  mi  7^  m2  and  we  proceed  as  follows. 
By  definition  of  Enc,  we  have  ci[2]  =  hri  ■  mi  (mod  p) 
and  c2  [2]  =  h7"2  ■  m2  (mod  p).  Since  ft  /  0,  we  have 
hri  ■  mi  zfi  hri  ■  m2  (mod  p).  □ 


Given  that  ciphertexts  generated  by  the  modified  version  of  El 
Gamal  used  in  JCJ  [79  §4]  encapsulate  El  Gamal  ciphertexts, 
the  proof  of  key  construction  by  Gennaro  et  al.  [57]  is 
sufficient  to  ensure  that  El  Gamal  is  collision-free: 


Corollary  25.  The  modified  version  of  El  Gamal  used  in 
JCJ  [79.  §4/  is  collision-free  its  message  space  m. 


The  sigma  protocol  for  proving  correct  key  construction  by 
Gennaro  et  al.  [[57|  does  not  explicitly  require  the  suitability 


of  cryptographic  parameters  to  be  checked,  hence.  Lemma  24 
is  not  immediately  applicable.  Nonetheless,  we  can  trivially 
make  the  necessary  checks  explicit  and,  hence,  the  non¬ 
interactive  proof  system  derived  from  the  sigma  protocol  for 
proving  correct  key  construction  by  Gennaro  et  al.  is  sufficient 
to  ensure  that  El  Gamal  is  collision-free.  It  follows  that  JCJ 
satisfies  Injectivity,  hence,  JCJ  is  an  election  scheme. 


Appendix  H 

Proof:  JCJ  is  Verifiable 


with  internal  authentication  (§H-D|>.  It  follows  that  JCJ  satisfies 
election  verifiability  Q]H-E[>. 

A.  Individual  verifiability 

Proposition  26.  Suppose  T,  Si,  S2,  £3,  £4,  £5,  Ef,  and  77 
satisfy  the  preconditions  of  Figure  [i]  Further  suppose  that 
r  is  collision-free  for  its  message  space  m  and  £1  satisfies 
special  soundness  and  special  honest  verifier  zero-knowledge. 
We  have  JCJ(T,  £1,  £2,  £3,  £4,  £5,  £6, 77)  satisfies  individual 
verifiability. 

Proof.  Let  JCJ(T,  £1,  £2,  £3,  £4,  £5,  £6, 77)=(Setup, Vote, 
Tally,  Verify)  and  FS(£i,77)  =  (ProveKey,  VerKey).  Sup¬ 
pose  ft:  is  a  security  parameter,  PK  7-  is  a  public  key,  nc 
is  an  integer,  and  /3  and  ff  are  choices.  Further  suppose 
that  ( pk,sk )  and  ( pk',sk ')  are  key  pairs  and  b  and  b'  are 
ballots  such  that  ( pk,sk )  4—  Register(P7f7-,  ft;),  ( pk',sk ')  4— 
Register (PKp,  k),  b  4-  Vote(sft:,  PKp,  nc,  P,  k),  b'  4— 
\Iote(sk' ,  PKp,  nc,  ft',  k),  b  yf  _L,  and  b'  yf  _]_.  By  defi¬ 
nition  of  Vote,  we  have  PKj-  is  a  vector  ( pkT,m,p )  and 
VerKey((lfe,  pkT,  m),  p)  =  1.  By  definition  of  Vote,  b[2] 
and  b'[ 2]  are  ciphertexts  such  that  6 [2]  4—  Enc {pkT,sk)  and 
b'[ 2]  4—  En c(pkT,  sk'),  where  sk,sk'  £  m.  Furthermore,  the 
ciphertexts  are  constructed  using  random  coins — i.e.,  the  coins 
used  by  b[ 2]  and  b'[ 2]  will  be  distinct  with  overwhelming  prob¬ 
ability.  Since  T  is  collision-free  for  m,  we  have  b[ 2]  yf  6' [2] 
and  b  f  1/  with  overwhelming  probability,  concluding  our 
proof.  □ 


B.  Universal  verifiability. 

Proposition  27.  Suppose  T  is  a  homomorphic  asymmet¬ 
ric  encryption  scheme,  £1,  £2,  £3,  £4,  £5  and  £3,  are 
sigma  protocols  and  PL  is  a  hash  function  such  that  the 
conditions  of  Figure  [77]  are  satisfied.  Further  suppose  that 
T  satisfies  IND-CPA  and  £1  and  £g  satisfy  special  sound¬ 
ness  and  special  honest  verifier  zero-knowledge.  We  have 
JCJ(T,  £1,  £2,  £3,  £4,  £5,  £6, 77)  satisfies  universal  verifia¬ 
bility. 


The  proof  is  similar  in  structure  to  the  universal  verifiability 
proof  for  Helios  ()D-B  1:  we  use  the  definition  of  the  verifica¬ 
tion  algorithm  to  construct  the  tally  X  given  by  the  adversary, 
and  then  show  that  X  is  equal  to  the  correct  tally. 


Proof.  Suppose  that  an  execution  of  Exp-UV-lnt(n,  A,  ft’) 
computes 


( PKr,ny )  <-  A  (ft;); 

for  1  <  i  <  ny  do  (pkj,  ski)  •<—  Register(7VL 7-,  k) 
L<-  {pki,...,pknv}; 

M  4-  {(pkly  ski), . . .  ,(pknv,  sknv)}-, 

(BB,  nCl  X,  P)  4—  A{M)\ 

Y  4-  correct-tally (PEp,  BB,  M,nc,k); 


Elections  schemes  constructed  from  generalized  JCJ  satisfy 
individual  (jjH-Ai,  universal  (j]H-B|>  and  eligibility  (-|H-C[) 
verifiability,  hence,  such  schemes  satisfy  election  verifiability 


such  that  \ler\[y{PK-p,  BB ,  nc,  X,  P,  k)  =  1.  The  JCJ  verifi¬ 
cation  algorithm  checks  the  proof  p  in  PK 7-  =  (pkT,m,  p), 
so  VerKey((lfc,  pkTl  m),  p)  =  1  and  by  simulation  sound 
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extractability  we  are  assured  that  pkT  was  honestly  generated, 
i.e.,  there  exists  r  and  SKj-  such  that  (pkT,  SKp,  m)  = 
Gen(lfe;r).  We  now  look  at  each  step  in  the  Verify  algorithm. 

•  Check  removal  of  invalid  ballots:  Let  {bi,...,bi} 

be  the  largest  subset  of  BB  such  that  for  all 
1  <  i  <  l  we  have  6*  is  a  vector  of  length 

4  and  VerCiph((pfcT,  6j[l]{l, . . . , nc}),  &i[3D  =  1  A 
VerBind((pfcT,  6j[l],  &j[2]),  6j[4])  =  1.  If  this  set  is 
empty,  then  Verify  would  only  accept  if  X[i]  =  0 
for  all  1  <  i  <  nc  and  P  =  _L.  Since  the  set  is 
empty,  no  ballots  b  were  posted  to  the  bulletin  board 
for  which  VerCiph((pfcT,  [1],  {1, . . . ,  nc}),  6* [3] )  =  1A 
VerBind((pfcT, 6j[l], 6j[2]), 6j[4])  =  1.  By  the  complete¬ 
ness  of  the  zero  knowledge  proofs,  if  the  ballots  were 
outputs  of  the  Vote  function,  then  they  would  verify. 
Therefore,  no  ballots  on  the  bulletin  board  were  the 
output  of  the  Vote  function,  so  we  will  have  that  Y 
is  also  a  vector  of  zeroes.  Thus  we  would  have  that 
X  =  Y  and  conclude  our  proof.  Now  let’s  assume  that 
{&i,  ...,be}fi$. 

We  must  have  for  all  choices  /3  £  {1  ,...,nc},  secret 
keys  sk  such  that  (pk,  sk )  £  M,  coins  r,  and  ballots  b  = 
\/ote(sk,  PKj-,nc,P,  k\  r)  that  b  g  BB\{b\, . . . ,  be} 
with  overwhelming  probability,  since  otherwise  we  would 
have  a  contradiction:  {&i, . . . ,  be}  is  not  the  largest  subset 
of  BB  satisfying  the  conditions  of  the  Tally  algorithm. 
Therefore,  we  must  have  that 

correct-tally  (PKp,  M,  BB,  nc,  k) 

=  correct-tally{PK'j-,M,{bi, . . .  ,bi},nc,k)  (5) 

•  Check  duplicate  elimination:  Next,  the  verification 

algorithm  checks  that  duplicate  votes  were 
properly  eliminated,  i.e.,  that  either  |Pdupi[*]|  = 
1  A  3j  £  {1,  —  l,i  +  1, ...  ,£}  such  that 

VerPET((pA;T,6i[2],6j-[2]),PdUpi[i][l],l)  =  1  or 

|Pdupi[*]|  =  l-  \  A  Vj  £  {1, . . .  ,i  -  l,i  +  1, . . .  ,n} 
such  that  VerPET((pfcT,6i[2],6i[2],0),PduPi[*][j])  =  1. 
Let  BB  be  constructed  as  in  Step  (2)  of  the  JCJ  tallying 
algorithm.  By  the  simulation  sound  extractability  of  the 
P dupi  [f] ,  we  are  assured  that  there  are  no  duplicate 
votes  in  BB. 

•  Check  mixing:  Now  the  ballots  in  BB  are  permuted  and 
re-encrypted  using  a  mixnet.  While  permuting  the  ballots 
isn’t  necessary  for  verifiability,  the  associated  proofs 
are  necessary  because  they  show  that  the  re-encryption 
was  done  properly  (for  example,  they  ensure  that  the 
encrypted  ballot  was  multiplied  by  an  encryption  of  the 
identity  element,  and  not  some  other  group  element  that 
might  change  the  vote).  Let  C\  denote  the  list  of  mixed 
re-encryptions  of  candidates,  C2  denote  the  list  of  mixed 
re-encryptions  of  voters’  secret  keys  from  the  ballots,  and 
C3  denote  the  mixed  list  of  encryptions  of  voters’  secret 
keys.  The  permutation  used  to  generate  C3  is  different 
from  the  permutation  used  to  generate  C\  and  C2,  but  this 
isn’t  important  to  the  verifiability  of  the  scheme.  We  have 


that  VerMix((pfcT,(6,1[l],...,6jBB|[l]),C1),Pmi:Eil)  = 
1  A  VerMix((pfcT,(6,1[2],...,&'BB|[2]),C2),Pmix,2)  = 

1  A  VerMix((pfcTj  L,  C3),  Pmix,3)  =  1.  By  simulation 
sound  extractability,  we  have  that  each  Ci  does  indeed 
contain  re-encryptions  of  the  original  lists  in  BB. 

•  Check  removal  of  ineligible  ballots:  Next,  the  verification 
algorithm  ensures  that  ineligible  ballots  are  removed 
properly.  The  verification  algorithm  checks  that  each  PET 
in  P[8]  =  P ineiig  is  valid.  Let  C[  C  C\  be  the  set  of 
C\[i\  £  Ci  for  which  Pmeiig  =  1  and  there  exists  c  £ 

C3  such  that  VerPET((pfcT>  C2[i],  c,  1),  Pineiig [*][1])  = 

1.  In  other  words,  C[  is  the  set  of  encryptions  of 
candidates  generated  using  a  valid  voter’s  secret  key. 

•  Check  decryption:  Finally,  the  verification  algorithm 
checks  the  proofs  that  all  of  the  ballots  in  C\  are  properly 
decrypted.  The  verification  algorithm  outputs  1,  so  by 
simulation  sound  extractability  we  are  assured  that  the 
multiset  of  candidates  given  by  decrypting  the  ballots 
in  C\  is  correct.  We  will  call  this  multiset  C final- 
Finally  the  verification  algorithm  checks  that  this  multiset 
corresponds  to  the  vector  X. 

We  can  see  that  C final  satisfies  the  following  properties. 
First,  every  element  /3  in  C Final  corresponds  to  a  ballot 
b  £  BB  which  was  generated  using  Vote  with  a  valid 
voter’s  secret  key.  This  is  ensured  by  steps  (1),  (3),  and 
(4)  of  the  verification  algorithm.  Second,  for  every  /3  £ 
C final,  the  ballot  corresponding  to  this  /3  was  the  only  one 
constructed  under  its  particular  secret  key,  i.e.,  (where  6  is 
the  ballot  corresponding  to  /3)  ~^3b',fi',r'  :  b'  £  BB  \ 
{6}  A  V  =  \Zote(sk,  PKp,nc,  /31  ,k;r')}.  This  is  ensured 
by  steps  (2)  and  (3)  of  the  verification  algorithm.  Therefore, 
we  have  that  each  (3  £  C final  corresponds  to  a  ballot 
in  authorized(PKp,  BB,M,nc,k).  Finally  X[/3]  =  k  iff 
3=k(3  £  C Final-  This  is  ensured  by  step  (5)  of  the  veri¬ 
fication  algorithm.  Since  these  are  the  exact  properties  that 
define  correct-tally  {PKp,M,{bi, . . .  ,bf\,nc,k),  we  must 
have  that  X  =  Y.  □ 


C.  Eligibility  Verifiability 

We  proceed  as  follows.  First,  we  derive  an  IND-1- 
CPA  encryption  scheme  from  generalized  JCJ  (fH-Cli.  Sec¬ 
ondly,  we  introduce  an  experiment  that  is  equivalent  to 
Exp-EV-Int-Weak  for  JCJ  ((H-C2i.  Finally,  we  prove  that  JCJ 
satisfies  our  new  experiment  (<  H-C3 1,  using  the  IND-l-CPA 
encryption  scheme. 

1 )  Encryption  scheme  from  generalized  JCJ: 


Definition  30.  Suppose  II  =  (Gen,  Enc,  Dec)  is  an  asym¬ 
metric  encryption  scheme,  Si  proves  correct  key  construc¬ 
tion,  E3  proves  conjunctive  plaintext  knowledge,  and  PI  is 
a  random  oracle.  Let  FS(Ei,T()  =  (ProveKey,  VerKey)  and 
FS(E3,7f)  =  (ProveBind,  VerBind).  We  define  IIjcj(n,  Ei, 
E 3,  PL)  =  (Gen',  Enc',  Dec')  as  follows: 

•  Gen'(lfc;r)  :  Compute  (pkT,  SKp,  m)  <-  Gen(lfc;7’); 
p  £-  ProveKey((lfe,  PKp,  m),  {SKp,  r));  PKp  £- 
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(pkT,m,  p);  m'  •<—  {(mi,  m2)  |  mi,  m2  G  m}.  Output 
l(PKr,k),SKr,m'). 

•  Enc  (pk,m)  :  Parse  m  as  a  vector  (/ 3,d ),  pk  as  a 
vector  (PKp,k),  and  PKj-  as  a  vector  (pkT,m,p), 
outputting  _L  if  parsing  fails.  Select  coins  r\  and  r2  and 
compute  ci  <—  Enc{pkT,  /3;  rf);  C2  <—  Er\c(pkT,  d;  r2); 
r  «—  ProveBind((pA,'T> Ci, c2),  (/3, ri, d, r2)).  Output 
(ci,c2,r). 

•  Dec^pfc,  sfc,  c)  :  Parse  c  as  (ci,  c2,r),  pk  as  ( PKp,k ), 
and  PKj-  as  (pkT,m,  p),  outputting  _L  if  parsing  fails  or 
VerBind((pA;T,  ci,  c2),  r)  A  1.  Compute  /3  <-  Dec (pkT, 
sk,ci);d  <r-  Dec (pkT,  sk,  C2)  and  output  (/3,d). 

The  key  generation  algorithm  Gen'  outputs  a  public  key 
(PKp,k),  where  PA 7-  =  (pkT,m,  p).  Parameters  m,  p,  and 
k  are  used  in  our  proof  of  eligibility  verifiability,  but  are  not 
required  by  the  encryption  scheme. 

Proposition  28.  IIjcj(n,  Si,  S3,  PL)  is  an  asymmetric  en¬ 
cryption  scheme  satisfying  IND-l-CPA,  where  II,  Si,  S3  and 
PL  satisfy  the  preconditions  of  Definition  |i0| 

Proof.  The  proof  that  this  scheme  satisfies  IND-l-CPA  is 
adapted  from  that  of  pT]  Theorem  5.1].  We  will  show  that 
if  there  is  an  adversary  A!  that  can  win  the  IND-l-CPA 
game  for  the  scheme,  then  there  is  another  adversary  A  that 
can  win  the  IND-CPA  game  for  the  following  scheme:  Let 
T  =  (Gen,  Enc,  Dec)  be  an  asymmetric  encryption  scheme 
satisfying  IND-CPA.  Define  T7  =  (Gen7,  Enc7,  Dec7)  as  fol¬ 
lows: 

•  Gen,(lfc;r)  :  Compute  (pk,sk,  m)  <—  Gen(lfc;r); 

p  «—  ProveKey((lfc,  pk,  m),  (sk,  r));  PK 7-  (pk,  m,  p); 

pk1  =  (PKp,k)\  m'  «—  {(mi,m2)  |  mi, m2  G  m},  and 
output  (pk' ,  sk,  m'). 

•  Enc7(pfc,m)  :  Parse  m  as  a  vector  (mo, mi),  pk  as 
(PKp,k),  and  PA 7-  as  (pk',m,p),  outputting  _L  if 
parsing  fails.  Compute  Co  <—  Enc(pfc,,mo);  Ci  ■<— 
Er\c(pk'  ,mf),  and  output  (co,ci). 

•  Dec' (pk,  sk,c)  :  Parse  c  as  a  vector  (co,ci),  pk  as 
(PKp,k),  and  PKj-  as  (pk',m,p),  outputting  _L  if 
parsing  fails.  Compute  mo  <—  Dec(pk’ ,  sk,  co);  mi  •<— 
Dec(pk' ,  sk,Ci),  and  output  (mo, mi). 

It  is  straightforward  to  see  that  this  scheme  satisfies  IND-CPA. 

Now  we  begin  the  reduction.  Let  A!  be  an  adversary  that 
wins  the  IND-l-CPA  game  against  HjcjiJd,  £1,  £3,  PL)  with 
non-negligible  probability.  We  will  construct  an  adversary  A 
that  wins  the  IND-CPA  game  against  the  T'  defined  above  with 
non-negligible  probability.  A  is  first  given  a  public  key  pk, 
where  pk  =  (PKj-,k)  and  PK 7-  =  (pk’,m,p).  A  forwards 
pk  to  A'.  A!  may  make  queries  to  its  random  oracle.  A 
will  simulate  the  random  oracle  and  keep  a  list  PL  of  all 
previously  asked  queries.  If  A!  makes  a  query  for  a  value 
already  in  7 ~L,  A  responds  with  a  value  consistent  with  the 
list.  If  A!  makes  a  query  for  a  new  value,  A  chooses  a  value 
uniformly  at  random  from  the  range  of  the  random  oracle  and 
adds  the  query/response  pair  to  PL.  We  will  denote  by  PL (x) 
the  response  y  such  that  (x,  y)  is  in  PL,  and  _L  if  no  such 


query /response  pair  is  in  PL . 

Next  A!  will  output  two  messages  mo,  mi  of  the  form 
(/ 3,d ).  A  outputs  mo,  mi  and  receives  a  challenge  ciphertext 
c*  =  (c*0,c*i).  A  then  picks  a  challenge  chal*  at  random 
from  the  challenge  space.  In  order  to  generate  the  proof  of 
conjunctive  plaintext  knowledge  that  A!  expects,  A  will  use 
the  simulator  Sim  for  the  sigma  protocol  associated  with 
ProveBind.  This  simulator  exists  due  to  the  special  honest 
verifier  zero  knowledge  property  of  the  sigma  protocol.  A  runs 
Sim((pk' ,Co,c\),  chal*)  to  obtain  the  simulated  proof  r*  = 
(comm* ,  resp*),  and  adds  the  pair  ((pk' ,  cjj,  c{)||comm*, 
chal*)  to  PL.  If  there  is  already  an  entry  corresponding  to  the 
query  (pk'  ,c^,c\)\\comm*  in  PL,  A  aborts  with  “Error  1”.  A 
then  gives  (cq,c{,t*)  to  A'. 

A '  will  next  output  its  vector  of  decryption  queries  c.  Let 
|c|  =  t.  For  each  i  G  {1,  A  will  obtain  the  response  to 

the  query  c[i]  using  the  following  procedure.  First,  A  checks 
that  c[z]  is  a  valid  ciphertext,  i.e,  that  c[i]  =  (cj ,  cj ,  7y )  where 
T*  =  (commi,  respi)  such  that  VerBind((pfc/,  c°,  c{),  (commi, 
PL((pk' ,c®,c\)\\commi)),respi)  =  1.  If  there  is  no  entry 
(x,y)  G  PL  such  that  x  =  (pk1  ,c^,c})\\ commi,  A  adds  it 
as  if  A!  had  queried  its  random  oracle  on  that  value.  If  these 
conditions  do  not  hold  or  c['t]  =  (cq,c*,t*),  the  response 
for  c  [i]  will  be  _L.  Now  A  checks  to  see  where  A'  queried  on 
(pk' ,Ci,cj)\\ commi.  If  A!  never  made  such  a  query,  A  aborts 
with  “Error  2”.  A  simulates  a  new  copy  of  A!  up  to  the  point 
of  that  query,  but  this  time  responds  with  a  new,  uniformly 
random  value.  All  other  queries  are  answered  as  they  were 
in  the  “main”  run  of  A'.  A  continues  the  simulation  until 
A!  outputs  c'.  If  c'  contains  an  entry  (cj,  c] ,  r?)  such  that 
Cj  =  Ci,Cj  =  cj  and  commj  =  commi,  then  A  uses  the 
special  soundness  extractor  for  the  sigma  protocol  to  obtain 
the  witness  Wi  for  the  statement.  This  witness  consists  of  the 
messages  and  random  coins  used  to  generate  the  ciphertexts. 
A  uses  this  witness  to  answer  the  decryption  query  in  the 
“main”  run.  Finally,  A',  will  output  a  bit  b,  which  A  outputs 
as  well. 

The  remainder  of  the  proof  is  almost  exactly  the  same  as 
that  of  in  Theorem  5.1],  and  so  is  omitted  here.  P 

2)  Variant  of  Exp- EV- 1 nt-^ Weak: 

Exp-EV-l-lnt(II,  A,  k)  = 

r  (PA 7-,  SKj-,  ms,  me)  «—  Setup(/c); 

2  (pk,sk)  Register(PA-7-,  fc); 

3  Rvld  «—  0; 

4  (nc,  Id,  b)  4—  AR(PKp,  pk,  k); 

s  if  3?-  :  b  =  Vote(sfc,  PK 7-,  nc,  /3,  fc;  r)  A  b  7^  _L 
A  b  ^  Rvld  then 

6  |  return  1 

7  else 

8  return  0 

Lemma  29.  Let  II  be  Generalized  JCJ,  where  the  encryption 
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scheme  I  satisfies  IND-CPA.  Then  we  have 


MA  3/i  Vfc  .  Succ(Exp-EV-l-lnt(n,  A,  k ))  <  /r(fc) 

V.4'  3/x'  Vfc'  .  Succ(Exp-EV-lnt-Weak(II,  .4',  fc'))  <  p'(k'), 


where  A  and  A!  are  PPT  adversaries,  fi  and  p!  are  negligible 
functions,  and  k  and  k'  are  security  parameters. 


The  forward  implication  is  required  by  Proposition  30  and 
we  provide  a  formal  proof  below.  A  proof  of  the  reverse 
implication  is  straight-forward  and  we  omit  our  formal  proof. 


Proof.  We  will  show  that  if  an  adversary  wins 
Exp-EV-Int-Weak,  then  there  exists  an  adversary  that 
wins  Exp-EV-1-lnt.  Let  A!  be  the  adversary  that  wins 
Exp-EV-Int-Weak  with  non-negligible  probability.  We  will 
construct  the  adversary  A  for  Exp-EV-1-lnt.  The  challenger 
first  computes  (PK-p,  SK-p,mB,mc)  <—  Setup(fc)  and  ( pk , 
sk )  ■£-  Register  (PK-p,  k).  A  is  given  as  input  (PK-p,  pk,k) 
and  forwards  (PK -p,  k)  to  A'.  A'  outputs  ny- 
Now  A'  may  make  some  oracle  queries.  A  will  maintain 
a  list  H  of  (*, pkf  sk'f]  tuples.  4/’s  first  oracle,  C,  needs  to 
return  secret  keys  associated  with  the  When  A  receives 
a  query  C(i),  A  checks  if  (i,  pk\,  sk'f)  £  H.  If  so,  A  returns 
skf  Otherwise,  A  computes  (pfc-,sfc';)  Register  (PK 'p,  k), 

adds  (i,  pkf  sk'f)  to  H,  and  returns  skf  Again  by  the  IND- 
CPA  property  of  the  encryption  scheme.  A!  cannot  tell  that 
sk'i  does  not  actually  correspond  to  pk,.  A'P  second  or¬ 
acle,  R  can  be  queried  on  inputs  (i,fi,nc),  on  which  it 
returns  Vote(sfci,  PK-p,  nc,  fi,  k).  If  A  receives  the  query 
R(i,  fi,nc),  it  checks  if  (i,pkf  sk'f)  £  H.  If  so,  A  computes 
b  =  \Iote(sk[,  PK-p,  Q ,  nc,  fi,  k )  and  returns  b.  Otherwise,  A 
computes  (pkf  sk'f  <—  Register  (PK-p,  k),  adds  (i,pkf  sk'f) 
to  H,  then  computes  b  =  \/ote(sk'i,PK-p,nc,fi,k)  and 
returns  b.  Again  by  the  IND-CPA  property  of  the  encryption 
scheme.  A!  cannot  tell  that  the  ballots  b  he  receives  were 
computed  with  a  secret  key  that  does  not  correspond  to  pk,. 
Finally,  A!  outputs  (nc,fi,i,b),  and  A  outputs  (nc,fi,b). 
Clearly,  A  has  the  same  success  probability  as  A! ,  so  A  wins 
Exp-EV-1-lnt  with  non-negligible  probability.  □ 


3)  Eligibility  Verifiability: 

Proposition  30.  Suppose  T  is  a  homomorphic  asymmetric 
encryption  scheme,  £1,  £2,  £3,  £4,  £5  and  £6,  are  sigma 
protocols  and  PL  is  a  hash  function  such  that  the  conditions  of 
Figure  [j]  are  satisfied.  Further  suppose  that  T  satisfies  IND- 
CPA.  We  have  JCJ(T,  £4,  £2,  £3,  £4,  £5,  £6,  PC)  satisfies  eli¬ 
gibility  verifiability. 


c  =  End  (PK ,  mf)  to  A.  We  have  c  =  (ci,c2,r),  where 
c2  =  Enc (pkT,skb).  Now  A  begins  to  interact  with  A!  by 
giving  (PKr,c2,k)  to  A!. 

At  this  point  A!  may  call  its  oracle  R.  If  A  receives  a  query 
R(fi,nc),  it  will  construct  x  <—  Vote(sk0,  PK-p,  nc,  fi,  k) 
and  return  x.  We  have  that  x  =  (En c(pkT,  fi),  Enc (pkT,  sko ), 
o,  r),  where  er  and  r  are  proofs  of  plaintext  knowledge  in 
a  subspace  and  conjunctive  plaintext  knowledge,  respectively. 
By  the  IND-CPA  property  of  Enc,  A'  can’t  distinguish  be¬ 
tween  encryptions  of  sko  and  ski.  Therefore  we  can  construct 
x  using  sko  even  if  the  secret  key  corresponding  to  c2  is 
actually  sk\. 

A!  will  then  output  (nc,fi,b*),  where  b*  = 
(cl,C2,a*,r*).  A!  wins  with  probability  for 

some  polynomial  p,  so  with  probability  we  have 

that  ci  =  Enc(pfcT,/3;ri),c2  =  Enc(pkT,  skb;  r2), 
a  =  ProveCiph((pfcr,ci,{l,...,nc}),(/3,ri)),  and 
t*  =  ProveB\nd((pkT,  ci,  c2),(fi,r\,  skb,  r2)).  In  order  to 
ensure  that  we  get  a  ballot  of  this  form  from  A!  with  high 
enough  probability,  A  repeats  the  above  interaction  with  A! 
P(k)  times  to  obtain  (nf,  fi1,  b\), . . . ,  (nPc{k) ,  fip(~k\  b*(k)). 
A  outputs  (bt  [1] ,  bt  [2] ,  bt  [4] ) , . . . ,  (b*p{k)  [1] ,  b; {k)  [2] ,  b*p(k)  14] ), 
and  receives  Dec(PK,  SKp,  (6*[1],  6*  [2],  6*[4])), . . . , 
Dec '(PK,SKT,(b*[k),bl{k)[2},b*p{k)[A])).  If  there  exist  i,j 
such  that  Dec'(PK,SKr,(b*[l\,b*[2],b*[4]))  =  (fi\sk0) 
and  Dec ' (PK ,  SKT,(b*[l],b*[2],b*[A\))  =  (fifski), 
or  there  exists  no  i  such  that  Dec' (PK,  SK-p, 
(&*[!] A*[2]A*[4]))  =  (fi*,sk0)  or  (fifsk  1),  then  A 

outputs  a  random  bit.  Otherwise,  if  there  exists  i  such 
that  Ded(PK,SKT,(b*[l],b*[2],b*m  =  (fi*,sk0), 
then  A  outputs  0.  Likewise,  if  there  exists  i  such  that 
Dec' (PK,  SKj- ,  (6*[1],  6* [2],  6* [4]))  =  (fi*,skf),  then  A 
outputs  1. 

We  now  argue  that  A  can  determine  the  correct  bit  b  with 
non-negligible  advantage. 

There  are  three  possible  events  that  can  occur  in  a  run  of  A. 
The  first  possibility  is  that  A!  fails  on  each  of  its  p(k)  runs  so 
that  A  has  to  guess.  This  occurs  with  probability  (1— 

The  second  event  is  that  A'  does  succeed  in  one  of  its  runs, 
but  on  a  different  run  it  outputs 

b  =  (En  c(PI<T,fi;ri), 

Enc(PKT,sk{i_by,r2), 

ProveCiph((L,Ar,  d,  {1, ... ,  nc}),  (fi,  d)), 
Pro\/eB\nd((PKr,  Ci,c2),  (fi,  n,  sfc(1_b),  r2))). 


Proof.  Let  II jcj  =  (Gen,:  Enc,1  Dec')  be  defined  as  above. 
Let  A!  be  an  adversary  that  wins  the  Exp-EV-1-lnt  game.  We 
will  construct  the  adversary  A  that  wins  the  IND-l-CPA  game 
with  non-negligible  advantage.  The  challenger  first  generates 
(PK,SK'p,m)  ■£-  Gen'(k),  where  PK  =  ( PKp,k )  and 
PK 7-  =  (pkT,m,  p),  and  gives  (PK-p,k)  to  A  as  input. 
A  runs  Register(Pif7-,  k)  twice  to  get  (pk0,  sk0),  (pki,  ski) 
and  sets  mo  =  (1,s£;o),toi  =  (l,sfci).  A  then  outputs 
(mo,  mi).  The  challenger  picks  a  bit  b  at  random  and  gives 


However,  because  sko  and  ski  are  chosen  randomly,  the 
probability  of  this  occurring  is  negligible.  Finally,  the  third 
possibility  is  that  A!  succeeds  in  at  least  one  of  its  runs.  This 
occurs  with  probability  ~  ^))*(^))-  In  the  first 

two  events,  A  guesses  and  wins  with  probability  |,  and  in 
the  third  event  A  wins  with  probability  1 .  Therefore,  the  total 
probability  that  A  wins  is  ( Eiio~ 1  ( 1  ~  i  ) )  +  \  ( 1  - 

__L^)p(fc)  _|_  Ip(k),  for  some  negligible  function  p. 

We  have  that  this  equation  is  equal  to: 
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1  Y^p(fc)-1M  _  1  \i  I  l/i  _  1  \v(k) 

p(k )  Z-/i=0  v1  p(fc)  /  '  2''±  p(fe)  / 


=  **>(?(*)  -  (1  -  ^)pWP(k))  +  1(1  -  ^r)p(fe) 


p(k) 


p(k)  ‘ 


In  order  to  determine  the  advantage  of  this  adversary,  we 
subtract  |  from  this: 

As  k  gets  large,  (1  —  ^ Wj)p<'k'>  converges  to  ^  and  fj(k) 
goes  to  0,  so  the  entire  equation  converges  to  |  This  is 
non-negligible. 

Combining  this  reduction  with  Lemma  29  we  have 
that  if  IIjcj  satisfies  IND-l-CPA,  then  JCJ  satisfies 
Exp-EV-Int-Weak.  □ 


D.  Election  verifiability 

By  Propositions  [26]  [27]  &  30  election  schemes  constructed 
from  generalized  JCJ  satisfy  election  verifiability  with  internal 
authentication: 


Corollary  31.  Suppose  T,  E1;  S2,  E3,  S4,  S5,  E6  and  H 
satisfy  the  preconditions  of  Figure  [i]  Further  suppose  that 
r  satisfies  IND-CPA  and  is  collision-free,  Ey  and  Eg  satisfy 
special  soundness  and  special  honest  verifier  zero-knowledge, 
and  FI  is  a  random  oracle.  We  have  JCJ(T,  Ei,  E2,  E3,  E4, 
E5,Ee,"H)  satisfies  election  verifiability  with  internal  authen¬ 
tication. 

E.  Proof:  Theorem  [5] 

Proof  of  Theorem^  We  know  that  T  satisfies  IND-CPA,  and 
by  Corollary  [25]  I  is  also  collision-free.  Therefore  the  proof 
follows  from  Corollary  [3T]  subject  to  the  applicability  of 
Theorem  [9]  to  the  mixnet  and  sigma  protocol  used  by  JCJ 
to  prove  correct  key  construction.  D 


public  credentials,  and  security  parameter  fc3 .  It  outputs 
the  tally  X  and  a  proof  P  that  the  tally  is  correct. 

•  Verify,  denoted  v  Verify  (PAT 7?.,  PKp,  BB,  nc,  X, 

P),  can  be  executed  by  anyone  to  audit  the  election. 
Verify  takes  as  input  the  public  key  PK 77  of  the  registrars, 
the  public  key  PK 7-  of  the  tallier,  the  bulletin  board  BB, 
the  number  of  candidates  nc,  and  a  candidate  proof  P 
of  correct  tallying.  It  outputs  a  bit  v,  which  is  1  if  the 
tally  successfully  verifies  and  0  on  failure. 


The  above  definition  fixes  an  apparent  oversight  in  JCJ’s 
presentation:  we  supply  the  registrars’  public  key  as  input  to 
the  verification  algorithm,  because  that  key  would  be  required 
by  Verify  to  check  the  signature  on  the  electoral  roll. 


Juels  et  al.  [79  §3]  formalize  correctness  and  verifiability  to 
capture  their  notion  of  election  verifiability.  We  rename  those 
to  JCJ -correctness  and  JCJ -verifiability  to  avoid  ambiguity. 
For  readability,  the  definitions  we  give  below  contain  subtle 
differences  from  the  original  presentation.  For  example,  we 
sometimes  use  for  loops  instead  of  pattern  matching. 


JCJ-correctness  asserts  that  an  adversary  cannot  modify 
or  eliminate  votes  of  honest  voters,  and  stipulates  that  at 
most  one  ballot  is  tallied  per  voter.  Intuitively,  the  security 
definition  challenges  the  adversary  to  ensure  that  verification 
succeeds  and  the  tall\p^|  does  not  include  some  honest  votes 
or  contains  too  many  votes.  The  definition  of  JCJ-correctness 
fixes  apparent  errors  in  the  original  presentation:  the  adversary 
is  given  the  credentials  for  corrupt  voters  and  distinct  security 
parameters  are  supplied  to  the  Register  and  Vote  algorithms. 
An  implicit  assumption  is  also  omitted:  {/?i}igv\V'  is  a 
multiset  of  valid  votes,  that  is,  for  all  £  {A}iev\v'  we  have 
1  <  /3  <  nc-  Without  this  assumption  the  security  definition 
cannot  be  satisfied  by  many  election  schemes,  including  the 
election  scheme  by  Juels  et  al. 


Appendix  I 

Juels  et  al.  Definitions 


Juels  et  al.  [79  §2]  define  an  election  scheme  as  a  tuple 


of  (Register,  Vote,  Tally,  Verify)  probabilistic  polynomial-time 
algorithms: 

•  Register,  denoted  (pk,sk)  ■£-  Register (S K n,  i,  ki),  is 
executed  by  the  registrars.  Register  takes  as  input  the 
private  key  SK n  of  the  registrars,  a  voter’s  identity  i, 
and  security  parameter  k  \ .  It  outputs  a  credential  pair 

(pk,  sk). 

•  Vote,  denoted  b  £-  Vote(sfc,  PK 7-,  nc,  ft,  fc2),  is  exe¬ 
cuted  by  voters.  Vote  takes  as  input  a  voter’s  private 
credential  sk,  the  public  key  PK 7-  of  the  tallier,  the 
number  of  candidates  nc,  the  voter’s  choice  /?,  and 
security  parameter  fc2.  It  outputs  a  ballot  b. 

•  Tally,  denoted  (X,  P)  <—  Tally (SKp,  BB ,  nc,  {pki}rff1 , 
fc3),  is  executed  by  the  tallier.  Tally  takes  as  input  the 
private  key  SK-y  of  the  tallier,  the  bulletin  board  BB, 
the  number  of  candidates  nc,  the  set  containing  voters’ 


Definition  31  (JCJ-correctness).  An  election  scheme  II  = 
(Register,  Vote,  Tally,  Verify)  satisfies  JCJ-correctness  if  for 
all  probabilistic  polynomial-time  adversary  A,  there  exists 
a  negligible  function  p,  such  that  for  all  positive  inte¬ 
gers  nc  and  ny,  and  security  parameters  k\,  /c2,  and 
fc3,  we  have  Succ(Exp-JCJ-Cor(II,  A,  nc,  ny,  k\,  fc2,  fc3))  < 
p{k\,k2,kf),  where  Exp-JCJ-Cor  is  defined  as  follows 


Exp-JCJ-Cor(II,  A,  nc,  ny,  k\,  fc2,  fc3)  = 


35  Juels  et  al.  translate  tallies  X  into  a  multisets  (X)  representing  the  tally 
as  follows:  (X)  =  Ui<j<  x|  {K-A,  >' 

X[j]  times 

36We  write  //(/.:i .  ki.  La)  for  the  smallest  value  in  { / /  ( A:  1 ).  /'(Li)  [ 

(cf.  (79]  pp45]). 
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1  V  {1,  .  .  .  ,  ny}', 

2  for  i  €  V  do  (pft,sft)  «—  Register(S'i^K,  i,  ft) 

3  v  ^  AUpk^y, 

4  for  i  e  V  \  V'  do  ft  «-  VlQ; 

5  55  4-  {Vote(sft,  PATr,  nc,  ft,  ft)},:e  v\v'J 

6  (X,  P)  4r-  Tally(5AV,55,nc,{pft}"ri^3); 

7  55  <—  55  U  .4(55,  {( pk it  sft)}lGvnv'); 

8  (X7,P7)  <-  Tally(SAY,55,nc,{pft}rii,ft); 

9  if  Verify(PAY,  PA"r,  55,  nc,  X',  P7)  =  1 

A  ({ft}iev\V'  £  (X')  V  |(X')|  -  |(X)|  >  |V'|)  then 

10  |  return  1 

11  else 

12  return  0 


A.  Proof:  Proposition  [6] 

Suppose  II  =  (Register,  Vote,  Tally,  Verify)  is  an  elec¬ 
tion  scheme  satisfying  JCJ-correctness  and  JCJ-verifiability. 
Further  suppose  Stuff(II,ft  re)  =  (Register,  Vote,  Tallys, 
Verify^),  for  some  integers  ft  re  £  N.  We  prove  that 
Stuff(II,  ft  re)  satisfies  JCJ-correctness  and  JCJ-verifiability. 

We  show  that  Stuff (II,  ft  re)  satisfies  JCJ-correctness  by 
contradiction.  Suppose  Succ(Exp-JCJ-Cor(Stuff(II,  ft  re),  A, 
nc,  ny,  ft ,  ft ,  ft))  is  non-negligible  for  some  ft,  ft,  ft,  nc, 
ny,  and  A.  Hence,  there  exists  an  execution  of  the  experiment 

Exp-JCJ-Cor(Stuff(n,  (3,  re),  A,  nc,  ny,  ft ,  ft,  ft) 

that  satisfies 


The  JCJ-correctness  definition  implicitly  assumes  that  the 
tally  and  associated  proof  are  honestly  computed  using 
the  Tally  algorithm.  By  comparison,  the  definition  of  JCJ- 
verifiability  (Definition  32 1  does  not  use  this  assumption, 
hence,  JCJ-verifiability  is  intended  to  assert  that  voters  and 
auditors  can  check  whether  votes  have  been  recorded  and  tal¬ 
lied  correctly.  Intuitively,  the  adversary  is  assumed  to  control 
the  tallier  and  voters,  and  the  security  definition  challenges 
the  adversary  to  concoct  an  election  (that  is,  the  adversary 
generates  a  bulletin  board  55,  a  tally  X,  and  a  proof  of 
tallying  P)  such  that  verification  succeeds  and  tally  X  differs 
tally  X'  derived  from  honestly  tallying  the  bulletin  board  55. 
It  follows  that  there  is  at  most  one  verifiable  tally  that  can  be 
derived. 


Definition  32  (JCJ-verifiability).  An  election  scheme  n  = 
(Register,  Vote,  Tally,  Verify)  satisfies  JCJ-verifiability  if  for 
all  probabilistic  polynomial-time  adversary  A,  there  ex¬ 
ists  a  negligible  function  p,  such  that  for  all  positive 
integers  nc  and  ny,  and  security  parameters  ft  and 
ft,  we  have  Succ(Exp-JCJ-Ver(n,  A,  nc,  ny,  ft,  ft,  ft))  < 
/ft ft ,  ft,  ft),  where  Exp-JCJ-Ver  is  defined  as  follows: 


Exp-JCJ-Ver(n,  A,  nc,  nv,  ft,  ft,  ft)  = 
t  for  1  <  i  <  ny  do  {pki,  skf)  <—  Register (SK-ji,  i,  ft) 

2  (BB,X,P)<-A(SKT,{(pki,aki)}'giy, 

3  (X',  P')  Tally(5Xr,55,nc,{pft}”ri,ft); 

4  if  Verify(PAY,  PKr,  BB,  nc,X,P)  =  1  A  X  ^  X' 

then 

s  |  return  1 

6  else 

7  return  0 


Appendix  J 

Proofs:  Juels  et  al.  Admit  Attacks 

This  appendix  contains  proofs  demonstrating  that  the  def¬ 
inition  of  election  verifiability  by  Juels  et  al.  (79)  admits 
collusion  and  biasing  attacks  (jfvTi.  We  have  reported  these 
findings  to  the  original  authors  |24|,  (73}. 


Verify s(PKn,  PKr,  BB ,  nc,  X',  P7)  =  1 

A  ({ft}i£v\V'  £  (X')  V  |<X')|  -  |(X)|  >  |V'|) 

with  non-negligible  probability,  where  { /3i}iev\v  is  the  set 
of  honest  votes,  (X,  P)  is  the  tally  of  honest  votes,  (X7,P7) 
is  the  tally  of  all  votes,  V'  is  a  set  of  corrupt  voter  identities, 
and  55  is  the  bulletin  board.  Further  suppose  55 o  is  the 
bulletin  board  55  before  adding  stuffed  ballots.  By  definition 
of  Tallys,  there  exist  computations 

(Y ,Q)  <-  Tally(5A'r,  550,  nc,  {pft}"=i,  ft) 

and 


(Y',Q')  <-  TMyiSKr^B^cipk^fyh) 

such  that  X  =  Add(Y,/3,re),  X'  =  Add(Y',  ft  re),  and  P7  = 
Q'.  Since  re  £  N,  we  have  (Y')  C  (X7).  Moreover,  |(X)|  = 
|  (Y)  |  +  re  and  |  (X7)  |  =  |  (Y7)  |  +  re,  hence, 

|(y7>m<y>|  =  |(x7)M(x>|. 

By  definition  of  Verify s  and  since  Y7  =  Sub(X7,  /?,  re),  there 
exists  a  computation 

v  <-  Verify0(PAY,  PKr,  BB,  nc,Y’,  Q') 

such  that  v  =  1.  It  follows  that 

Verify  (PH -R.,  PKr,  BB,  nc,  Y7,  Q')  =  1 

A  ({Pthev \v  £  (Y')  V  | (Y7> |  -  | <Y> |  >  |V7|) 

with  non-negligible  probability  and,  furthermore,  we 
have  Succ(Exp-JCJ-Cor(n,  A,  nc,  ny,  ft,  ft,  ft))  is  non- 
negligible,  thereby  deriving  a  contradiction. 

We  show  that  Stuff(n,  ft,  re)  satisfies  JCJ-verifiability  by 
contradiction.  Suppose  Succ(Exp-JCJ-Ver(Stuff(n,  ft,  re),  A, 
nc,  ny,  ft,  ft,  ft))  is  non-negligible  for  some  ft,  ft,  nc, 
ny,  and  A.  Hence,  there  exists  an  execution  of  the  experiment 
Exp-JCJ-Ver(Stuff(n,  n),A,  nc,  ny,  ft,  ft,  ft)  which  sat¬ 
isfies 
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Verify(PAY,  PKr,  BB,  nc,  X,  P)  =  1  A  X  /  X7 

with  non-negligible  probability,  where  (55,X,P)  is  an  elec¬ 
tion  concocted  by  the  adversary  and  (X7,  P7)  is  produced  by 


tallying  BB.  By  definition  of  Tallys,  there  exists  a  computa¬ 
tion 

(Y',Q')  TaWy (SKT,BB,nc,{pki}7=i,k3) 

such  that  X'  =  Add(Y',  ft,  k)  and  P'  =  Q' .  By  definition  of 
Verify^,  there  exists  a  computation 

v  t—  Verify(PA"7?.,  PKp,  BB,  nc,  Sub(X,  f3,  n),  P) 

such  that  v  =  1.  Let  the  adversary  £>  be  defined  as  follows: 
given  input  K  and  S,  the  adversary  B  computes 

(BB,X,P)  <-A(K,  S ) 

and  outputs  (BB,  Sub(X,  j3,  k),  P).  We  have  an  execution 
of  the  experiment  Exp-JCJ-Ver(Stuff(II,  fi,  k),  B,  nc,  ny,  k\, 
k2,k3)  that  concocts  the  election  (BB ,  Sub(X,  f3,  n),  P)  and 
tallying  BB  produces  (Y',  (fj  such  that 

Verify (PKn,  PKr ,  BB,  nc,  Sub(X,  /3,  k),  P)  =  1 

with  non-negligible  probability.  Moreover,  since  X  /  X' 
and  Y'  =  Sub(X/,  (3,  k),  we  have  Sub(X, /3,  re)  yf  Y'  with 
non-negligible  probability.  It  follows  immediately  that  Succ( 
Exp-JCJ-Cor(II,  B,  nc,  ny,  fei,  k3))  is  non-negligible,  thus 
deriving  a  contradiction  and  concluding  our  proof.  □ 

B.  Proof:  Proposition  [7] 

We  define  key  leakage  before  proving  Proposition  [7] 

Definition  33  (Key  leakage).  An  election  scheme  II  = 
(Register,  Vote,  Tally,  Verify)  does  not  leak  the  tallier’s  private 
key  if  for  all  positive  integers  nc  and  ny,  security  parameters 
k\  and  k 3,  and  probabilistic  polynomial-time  adversary  A, 
we  have  Succ(Exp-leak(n,  A,  k\,  k3,  nc,  ny))  is  negligible, 
where  Exp-leak(-)  is  defined  as  follows: 

Exp-leak(II,  A,  k\,k3,nc,ny)  = 

1  for  1  <  i  <  ny  do  (pki,ski)  «—  Register^X-^,  i,  kf); 

2  BB  <—  A(sk1, . . . ,  sknv); 

3  (X,  P)  <-  Tally (SKr^B^dpkfsZM 

4  if  A(X,  P)  =  SKT  then 
s  |  return  1 

6  else 

7  return  0 

Proof  of  Proposition^  Suppose  II  =  (Register,  Vote,  Tally, 
Verify)  is  an  election  scheme  satisfying  JCJ-correctness 
and  JCJ-verifiability  that  does  not  leak  the  tallier’s  private 
key,  and  Backdoor(II)  =  (Register,  Vote,  TallyB,  Verify^). 
Since  II  does  not  leak  the  tallier’s  private  key,  the  experi¬ 
ment  Exp-JCJ-Cor(II,  A,  nc,  ny,  k\,  k2,  fe)  produces  a  bul¬ 
letin  board  BB  such  that  SK 7-  £  BB  with  negligible  probabil¬ 
ity,  for  all  k\,  A>2,  k 3,  nc,  ny  and  A.  It  follows  that  an  execu¬ 
tion  of  the  experiment  Exp-JCJ-Cor(Backdoor(II),  A,  nc,  ny, 
k\ ,  k>2,  k;i)  is  an  execution  of  the  experiment  Exp-JCJ-Cor( 
H,A,nc,nv,k1,k2,k3)  with  non-negligible  probability  and, 
hence,  Backdoor(II)  satisfies  JCJ-correctness. 

We  show  that  Backdoor(II)  satisfies  JCJ-verifiability  by 
contradiction.  Suppose  Succ(Exp-JCJ-Ver(Backdoor(II),  A, 


nc,ny,ki,k2,k3))  is  non-negligible  for  some  ky  k3,  nc, 
ny,  and  A.  Hence,  there  exists  an  execution  of  the  experiment 
Exp-JCJ-Ver(Backdoor(n),  A,  nc,  ny,  k\,  k2,  k3)  which  sat¬ 
isfies 

Verify(PX7?.,  PKr,  BB,  nc,  X,  P)  =  1  A  X  ^  X' 

with  non-negligible  probability,  where  (BB ,  X,  P)  is  an  elec¬ 
tion  concocted  by  the  adversary  and  (X',P')  is  produced 
by  tallying  BB.  If  there  is  one  and  only  one  Y  such  that 
(SK r,  Y)  £  BB,  then  X'  =  Y  by  definition  of  Tally  and 
X  =  Y  by  definition  of  Verify,  otherwise,  the  execution  of 
the  experiment  Exp-JCJ-Cor(Backdoor(n),  A,  nc,  ny,  k\,  k’2, 
k3)  is  an  execution  of  the  experiment  Exp-JCJ-Cor(l I.  A.  tic, 
ny,k\,k2,k3)  and,  hence, 

Succ(Exp-JCJ-Ver(Backdoor(n),  A,  nc,  ny,  k\,  k2,  k3)) 

=  Succ(Exp-JCJ-Ver(n,  A,  nc,  ny,  k\,k2,  k3)). 

In  both  cases  we  derive  a  contradiction,  thereby  concluding 
our  proof.  □ 

C.  Proof  sketch:  Proposition  [§] 

Suppose  n  =  (Register,  Vote,  Tally,  Verify)  is  an  election 
scheme  satisfying  JCJ-correctness  and  JCJ-verifiability.  Fur¬ 
ther  suppose  Bias(n,  Z)  =  (Register,  Vote,  Tally,  Verify^,), 
for  some  set  of  vectors  Z.  By  definition  of  Verify^,  we  have 

Verify R(PKn,  PKr,  BB,  nc,  X,  P)  =  1 

implies  the  existence  of  a  computation 

v  y-  Verify (PKn,  PKr ,  BB,  nc,  X,  P) 

such  that  v  =  1  with  non-negligible  probability,  for  all  PKp, 
BB,  nc,  X,  and  P.  It  follows  that 

Succ(Exp-JCJ-Cor(Bias(n),  A,  nc,  ny,  k\,k2,  k3 )) 

<  Succ(Exp-JCJ-Cor(n,  A,  nc,  ny,  k\,k2,  k3 )) 

and 

Succ(Exp-JCJ-Ver(Bias(n),  A,  nc,  ny,  k-\ ,  k2,  k3)) 

<  Succ(Exp-JCJ-Ver(n,  A,  nc,  ny,  k\,k2,k3)) 

for  all  jfci,  fc2,  k3,  nc,  ny,  and  A.  Hence,  Bias(n,  Z)  satisfies 
JCJ-correctness  and  JCJ-verifiability.  D 
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